USING OPAQUE GROUPS IN A FEDERATED IDENTITY MANAGEMENT ENVIRONMENT

US 20090265753A1
Filed: 04/16/2008
Published: 10/22/2009
Est. Priority Date: 04/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method of promoting user anonymity within a federated identity management system, the system comprising identity providers configured to authenticate users and service providers configured to provide services to the users, the method comprising:

creating an opaque group at a first identity provider to include multiple users of the federated identity management system, wherein each user has a primary identity within the system;

storing at the first identity provider an identity of the opaque group, wherein the identity references the primary identities of the member users; and

facilitating the provision of services by the service providers to members of the opaque group without allowing the service providers to know the primary identities of the members of the group.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for using an opaque group within a federated identity management environment, to prevent disclosure of identities of the group. An opaque group is constructed at an identity provider within the system and has a group identity that references primary system identities of its members (e.g., electronic mail addresses, public key certificates, network addresses). Services to the group (e.g., distribution of an object such as a document or electronic mail message, invitation to an online meeting, authentication as a member of the group) can be requested from service providers, but because service providers do not have access to members'"'"' primary identities, the service providers forward the requests to an identity provider that has access to the group identity. That identity provider retrieves the members'"'"' identities and completes the action.

119 Citations

19 Claims

1. A method of promoting user anonymity within a federated identity management system, the system comprising identity providers configured to authenticate users and service providers configured to provide services to the users, the method comprising:
- creating an opaque group at a first identity provider to include multiple users of the federated identity management system, wherein each user has a primary identity within the system;
  
  storing at the first identity provider an identity of the opaque group, wherein the identity references the primary identities of the member users; and
  
  facilitating the provision of services by the service providers to members of the opaque group without allowing the service providers to know the primary identities of the members of the group.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said facilitating comprises:
    - receiving at a first service provider a request to distribute an object to one or more members of the opaque group;
      
      forwarding the request from the service provider to an identity provider;
      
      at the identity provider, determining the primary identities of the one or more members; and
      
      forwarding the object to the one or more members from the identity provider.
  - 3. The method of claim 1, wherein said facilitating comprises:
    - at a first service provider;
      
      a connection request from a user asserting membership in the opaque group;
      
      issuing to an identity provider a request to verify the user'"'"'s membership in the opaque group; and
      
      at the identity provider, attempting to authenticate the user as a member of the group.
  - 4. The method of claim 1, wherein a user'"'"'s primary identity within the federated identity management system enables communication with that user.
  - 5. The method of claim 4, wherein the user'"'"'s primary identity is one of a group of identities comprising:
    - an electronic mail address;
      
      a digital certificate; and
      
      a network address.
  - 6. The method of claim 1, further comprising:
    - withholding the primary identities of each member of the opaque group from other members of the opaque group.
  - 7. The method of claim 1, further comprising:
    - populating the opaque group with secondary identities of members of the group, said secondary identities configured to allow the members to be identified within the group without using their primary identities.
  - 8. The method of claim 7, wherein a first member'"'"'s secondary identifier is configured to identify the identity provider that maintains the first members'"'"' primary identity without identifying the first member'"'"'s primary identity.
  - 9. The method of claim 7, wherein a first member'"'"'s secondary identifier is configured to identify another opaque group the first member belongs to.
  - 10. The method of claim 7, wherein a first member'"'"'s secondary identifier is configured to identify an indirection entity configured to enable communication with the first member via a method determined by a context of the communication.

11. A computer-readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of promoting user anonymity within a federated identity management system, the system comprising identity providers configured to authenticate users and service providers configured to provide services to the users, the method comprising:
- creating an opaque group at a first identity provider to include multiple users of the federated identity management system, wherein each user has a primary identity within the system;
  
  storing at the first identity provider an identity of the opaque group, wherein the identity references the primary identities of the member users; and
  
  facilitating the provision of services by the service providers to members of the opaque group without allowing the service providers to know the primary identities of the members of the group.

12. A computer-implemented method of enabling users within a federated identity management system to access a resource of the system anonymously, the method comprising:
- establishing an identity of an opaque group at a first identity provider within the system;
  
  configuring said group identity to include identities of members of the group; and
  
  within the system, enabling service providers to provide services to the group without knowledge of the identities of the members of the group.
- View Dependent Claims (13)
- - 13. The method of claim 12, wherein said enabling comprises:
    - configuring the service providers to forward service requests for the group to an identity provider having access to said group identity.

14. A computer-readable medium storing instructions that, when executed by a computer, cause the computer to perform a method of enabling users within a federated identity management system to access a resource of the system anonymously, the method comprising:
- establishing an identity of an opaque group at a first identity provider within the system;
  
  configuring said group identity to include identities of members of the group; and
  
  within the system, enabling service providers to provide services to the group without knowledge of the identities of the members of the group.

15. A federated identity management system in which a service is provided to a group of anonymous users, the system comprising:
- an identity provider configured to authenticate users of the system;
  
  a service provider configured to;
  
  receive service requests from users of the system; and
  
  provide requested services to the users based on primary identities associated with the users; and
  
  a group identity stored at the identity provider and associated with an opaque group, wherein;
  
  said group identity comprises primary identities of members of the opaque group; and
  
  said group identity and not the members'"'"' primary identities are releasable to service providers;
  
  wherein the service provider is further configured to forward to the identity provider requests to provide services to the group.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The federated identity management system of claim 15, further comprising, for each member of the opaque group:
    - a secondary identity configured to identify the member within the opaque group without revealing the member'"'"'s primary identity.
  - 17. The federated identity management system of claim 16, wherein a first member'"'"'s secondary identifier is configured to identify a first identity provider configured to maintain the first members'"'"' primary identity, without identifying the first member'"'"'s primary identity.
  - 18. The federated identity management system of claim 16, wherein a first member'"'"'s secondary identifier is configured to identify another opaque group the first member belongs to.
  - 19. The federated identity management system of claim 16, wherein a first member'"'"'s secondary identifier is configured to identify an indirection entity configured to enable communication with the first member via a method determined by a context of the communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Proctor, Seth T., Anderson, Anne H.

Granted Patent

US 8,291,474 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

H04L 63/0421   Anonymous communication, i....

H04L 63/08   for authentication of entit...

H04L 63/104   Grouping of entities

USING OPAQUE GROUPS IN A FEDERATED IDENTITY MANAGEMENT ENVIRONMENT

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

USING OPAQUE GROUPS IN A FEDERATED IDENTITY MANAGEMENT ENVIRONMENT

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links