IDENTITY SELECTOR FOR USE WITH A USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

US 20090300742A1
Filed: 05/27/2009
Published: 12/03/2009
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. In an environment comprising a service provider environment including at least one identity provider and at least one relying party, and a user-portable user computing device including user identity information, a system, comprising:

an identity manager system configured to facilitate online interactions between a user and the service provider environment by managing identity requirements of the interactions;

the identity manager system comprisesan agent module configured to manage communications between the identity manager system and the user computing device,the agent module configured further to receive user identity information from the user computing device and to use the user identity information to facilitate interactions between the user and the service provider environment, andmeans for enabling communications between the identity manager system and the service provider environment.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An identity selector manages the identity requirements of an online interaction between a user and a service provider environment. The identity selector is adapted for interoperable use with a user-portable computing device. The user device enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The identity selector includes an agent module that facilitates communication with the user device. The identity selector imports the user identities from the user device and determines which user identities satisfy a security policy of a relying party. After the user selects one of the eligible user identities, the identity selector generates a token request based on the selected identity and forwards it to the user device, which in response issues a security token. The security token is returned to the identity selector and used to facilitate the authentication process.

Citations

20 Claims

1. In an environment comprising a service provider environment including at least one identity provider and at least one relying party, and a user-portable user computing device including user identity information, a system, comprising:
- an identity manager system configured to facilitate online interactions between a user and the service provider environment by managing identity requirements of the interactions;
  
  the identity manager system comprisesan agent module configured to manage communications between the identity manager system and the user computing device,the agent module configured further to receive user identity information from the user computing device and to use the user identity information to facilitate interactions between the user and the service provider environment, andmeans for enabling communications between the identity manager system and the service provider environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the user computing device comprises:
    - a means for providing first user identities; and
      
      a means, responsive to a token request in reference to one of the first user identities, for issuing a security token relative to the referenced user identity.
  - 3. The system of claim 2, wherein the identity manager system configured further to:
    - (i) receive identity requirements from the service provider environment relating to a service request, (ii) identify, as an eligible user identity, any user identity among the plurality of first user identities that satisfies the identity requirements, (iii) generate a token request in reference to an eligible user identity, (iv) send the token request to the user computing device, (v) receive the security token issued by the user computing device in response to the token request, and (vi) use the security token to facilitate the interactions between the user and the service provider environment relative to compliance with the identity requirements.
  - 4. The system of claim 2, wherein the identity manager system further comprises:
    - means for providing a plurality of second user identities each associated with a respective identity provider.
  - 5. The system of claim 4, wherein the identity manager system configured further to:
    - (i) receive identity requirements from the service provider environment relating to a service request, (ii) identify, as an eligible user identity, any user identity among the plurality of first user identities and the plurality of second user identities that satisfies the identity requirements, (iii) enable a user to select an eligible user identity, (iv) generate a token request in reference to the selected user identity, (v) in the event of a user identity selection drawn from the plurality of first identities, send the token request to the user computing device and receive the security token issued by the user computing device in response to the token request, (vi) in the event of a user identity selection drawn from the plurality of second identities, send the token request to the identity provider associated with the selected user identity and receive any security token issued by the identity provider occurring in response to the token request, and (vii) use the security token to facilitate the interactions between the user and the service provider environment relative to compliance with the identity requirements.
  - 6. The system of claim 2, wherein the identity manager system further comprises:
    - means for providing a plurality of second user identities;
      
      means, responsive to a security policy from a relying party, for determining whether any user identity satisfies the security policy from among the plurality of first user identities and the plurality of second user identities;
      
      means for enabling the user to make a selection from among the user identities determined to satisfy the security policy; and
      
      first means, responsive to a user selection drawn from the plurality of first user identities, for providing a token request based on the selected user identity, communicating the token request to the user computing device, and receiving the security token issued by the user computing device in response to the token request.
  - 7. The system of claim 6, further comprises:
    - the means for providing a plurality of second user identities includes a means for providing a plurality of managed identities each associated with a respective identity provider and a means for providing a plurality of self-issued identities;
      
      second means, responsive to a user selection drawn from the plurality of managed identities, for providing a token request based on the selected managed identity, communicating the token request to the identity provider associated with the selected managed identity, and receiving any security token issued by the identity provider occurring in response to the token request; and
      
      third means, responsive to a user selection drawn from the plurality of self-issued identities, for generating a security token based on the selected self-issued identity;
  - 8. The system of claim 7, further comprises:
    - the means for providing a plurality of self-issued identities includes a means for enabling a user to create and manage at least one self-issued identity; and
      
      the third means includes a means for generating a security token in reference to a self-issued identity.

9. In an environment including a service provider environment, an identity provider environment, a host computing system, a user-portable user computing device comprising user identity information including a plurality of first user identities, the user computing device configured to communicate with the host computing system, and a network connecting the host computing system to the service provider environment and the identity provider environment, a method, comprising:
- the host computing system initiating an interaction with the service provider environment;
  
  the host computing system receiving user identity information from the user computing device; and
  
  the host computing system using the user identity information received from the user computing device to manage identity requirements of the interaction.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The method of claim 9, further comprises:
    - the host computing system generating a token request relative to a first user identity;
      
      the host computing system communicating the token request to the user computing device;
      
      the user computing device issuing a security token in response to the token request; and
      
      the host computing system receiving further includes receiving the security token issued by the user computing device.
  - 11. The method of claim 10, further comprises:
    - the host computing system using further includes presenting the security token to the service provider environment to facilitate the interaction relative to compliance with the identity requirements.
  - 12. The method of claim 10, further comprises:
    - the host computing system retrieving from the user computing device at least one of the first user identities;
      
      the host computing system presenting the retrieved user identities to the user;
      
      the user selecting one of the retrieved user identities; and
      
      the host computing system generating further includes generating a token request relative to the selected user identity.
  - 13. The method of claim 10, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service occurring within the context of the interaction;
      
      the host computing system determining whether any of the first user identities satisfies the requirements of the security policy;
      
      the user selecting one of the first user identities determined to satisfy the security policy requirements; and
      
      the host computing system generating further includes generating a token request relative to the selected user identity.
  - 14. The method of claim 9, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service occurring within the context of the interaction;
      
      the host computing system providing a plurality of second user identities each associated with a respective identity provider in the identity provider environment;
      
      the host computing system determining whether any of the first user identities and the second user identities satisfies the security policy requirements;
      
      the user selecting one of the user identities determined to satisfy the security policy requirements;
      
      upon a user selection drawn from the first user identities, the host computing system generating a token request based on the selected user identity, the host computing system communicating the token request to the user computing device, the user computing device issuing a security token in response to the token request, and the host computing system receiving further includes receiving the security token issued by the user computing device; and
      
      upon a user selection drawn from the second user identities, the host computing system generating a token request based on the selected user identity, communicating the token request to the identity provider associated with the selected user identity, and receiving any security token issued by the identity provider occurring in response to the token request.

15. In an environment comprising a service provider environment including at least one service provider and at least one identity provider, a user-portable user computing device comprising user identity information including a plurality of first user identities, the user computing device further comprising a means for issuing a security token relative to any of the first user identities in response to a token request referencing one of the first user identities, a computer-readable medium having computer-executable instructions for execution by a processor, that, when executed, cause the processor to:
- generate a token request in reference to one of the first user identities;
  
  communicate the token request to the user computing device; and
  
  receive the security token issued by the user computing device in response to the token request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computer-readable medium of claim 15, wherein the instructions further cause the processor to:
    - retrieve from the user computing device at least one of the first user identities;
      
      present the retrieved user identities to a user;
      
      enable the user to select one of the retrieved user identities; and
      
      cause the generate operation to generate a token request relative to the selected user identity.
  - 17. The computer-readable medium of claim 15, wherein the instructions further cause the processor to:
    - receive a security policy in connection with a request for service;
      
      determine whether any of the first user identities satisfies the security policy;
      
      enable the user to select one of the first user identities determined to satisfy the security policy; and
      
      cause the generate operation to generate a token request relative to the selected user identity.
  - 18. The computer-readable medium of claim 15, wherein the instructions further cause the processor to:
    - retrieve from the user computing device at least one of the first user identities;
      
      provide a plurality of second user identities each defining a respective third-party managed identity and associated with a respective identity provider;
      
      enable a user to select one of the retrieved first user identities and the second user identities;
      
      in the event of a user selection pertaining to the first user identities, cause the generate operation to generate a token request relative to the selected first user identity; and
      
      in the event of a user selection pertaining to the second user identities, generate a token request relative to the selected second user identity and direct the token request to the identity provider associated with the selected second user identity.
  - 19. The computer-readable medium of claim 18, wherein the instructions further cause the processor to:
    - receive a security policy in connection with a request for service;
      
      determine whether any of the retrieved first user identities and the second user identities satisfies the security policy; and
      
      cause the enable operation to enable a user to make a selection only among the user identities determined to satisfy the security policy.
  - 20. The computer-readable medium of claim 15, wherein the instructions further cause the processor to:
    - initiate an interaction with the service provider environment;
      
      receive, within the context of the interaction with the service provider environment, a security policy having identity requirements;
      
      manage the security policy identity requirements of the interaction;
      
      the manage operation including operations to;
      
      determine whether any of the first user identities satisfies the security policy identity requirements,cause the generate operation to generate a token request in reference to a selectable one of the first user identities determined to satisfy the security policy identity requirements, anduse the security token issued by the user computing device to facilitate the interaction relative to compliance with the security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Open Invention Network LLC
Inventors
Ahn, Gail-Joon

Granted Patent

US 8,869,257 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

IDENTITY SELECTOR FOR USE WITH A USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY SELECTOR FOR USE WITH A USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links