USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

US 20090300747A1
Filed: 05/27/2009
Published: 12/03/2009
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a user-portable user computing device includinga storage comprising a plurality of first user identities,a storage comprising at least one user attribute, anda security token generator operatively coupled to the user attribute storage, the security token generator configured to receive a token request in reference to a first user identity and to generate a security token in accordance with the token request, using the at least one user attribute.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user-portable computing device configured as a smart card enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The device includes memory for storing user identities as information cards that are exported to a host computer, presented to a user in visual form, and then selected for use in the authentication process. A security token service installed on the device issues a security token in response to a token request sent from the host computer that references the selected user identity. The security token service uses user attribute information stored on the user device to compose the claim assertions needed to issue the security token. The token is returned to the host computer and used to facilitate the authentication process.

Citations

20 Claims

1. A system, comprising:
- a user-portable user computing device includinga storage comprising a plurality of first user identities,a storage comprising at least one user attribute, anda security token generator operatively coupled to the user attribute storage, the security token generator configured to receive a token request in reference to a first user identity and to generate a security token in accordance with the token request, using the at least one user attribute.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the user computing device is configured as a personal portable security device.
  - 3. The system of claim 1, wherein the user computing device further comprises:
    - a smart card.
  - 4. The system of claim 1, wherein the user identity storage comprises:
    - at least one information card each indicative of a respective user identity.
  - 5. The system of claim 4, wherein the at least one information card comprises:
    - at least one self-issued card; and
      
      at least one third-party managed card.
  - 6. The system of claim 1, further comprises:
    - a service provider environment including at least one identity provider and at least one relying party;
      
      an identity management module configured to facilitate online interactions between a user and the service provider environment by managing identity requirements of the interactions;
      
      the identity management module configured further to interact with the user computing device in the course of providing a security token in furtherance of facilitating the online interactions; and
      
      a network access connection to enable communications between the identity management module and the service provider environment.
  - 7. The system of claim 6, wherein the identity management module configured further to:
    - (i) receive identity requirements from the service provider environment relating to a service request, (ii) identify, as an eligible identity, any user identity among the plurality of first user identities that satisfies the identity requirements, (iii) generate a token request in reference to an eligible user identity, (iv) send the token request to the security token generator of the user computing device, and (v) receive the security token issued by the security token generator in response to the token request.
  - 8. The system of claim 6, wherein the identity management module further comprises:
    - means for providing a plurality of second user identities each associated with a respective identity provider;
      
      means, responsive to a security policy from a relying party, for determining whether any user identity satisfies the security policy from among the plurality of first user identities and the plurality of second user identities,means for enabling the user to make a selection from among the user identities determined to satisfy the security policy,first means, responsive to a user selection drawn from the plurality of first user identities, for providing a token request based on the selected user identity, communicating the token request to the security token generator of the user computing device, and receiving the security token generated thereby, andsecond means, responsive to a user selection drawn from the plurality of second user identifies, for providing a token request based on the selected user identity, communicating the token request to the identity provider associated with the selected user identity, and receiving any security token issued by the identity provider occurring in response to the token request.

9. In an environment including a service provider environment, an identity provider environment, a host computing system, a network connecting the host computing system to the service provider environment and the identity provider environment, and a user-portable user computing device configured to communicate with the host computing system and including a plurality of first user identities and at least one user attribute, a method, comprising:
- the host computing system generating a token request in reference to a first user identity;
  
  the user computing device receiving the token request; and
  
  the user computing device issuing a security token according to the token request, using the at least one user attribute.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprises:
    - the user computing device exporting at least one of the first user identities to the host computing system;
      
      the host computing system presenting at least one of the exported user identities to the user;
      
      the user selecting one of the exported user identities;
      
      the host computing system generating further includes generating a token request based on the selected user identity; and
      
      the host computing system communicating the token request to the user computing device.
  - 11. The method of claim 10, further comprises:
    - the user computing device communicating the security token issued in response to the token request to the host computing system; and
      
      the host computing system presenting the security token to the service provider environment in connection with an identification operation.
  - 12. The method of claim 10, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service;
      
      the host computing system determining whether any of the first user identities satisfies the requirements of the security policy; and
      
      the host computing system presenting further includes presenting only any first user identities determined to satisfy the requirements of the security policy.
  - 13. The method of claim 9, further comprises:
    - the user computing device exporting at least one user identity to the host computing system, in response to an import request from the host computing system; and
      
      the host computing system generating further includes generating a token request using one of the exported identities.
  - 14. The method of claim 9, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service;
      
      the host computing system determining whether any of the first user identities satisfies the requirements of the security policy; and
      
      the host computing system generating further includes generating a token relative to a user-selectable one of the first user identities determined to satisfy the requirements of the security policy.
  - 15. The method of claim 9, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service;
      
      the host computing system providing a plurality of second user identities each associated with a respective identity provider in the identity provider environment;
      
      determining whether any of the first user identities and the second user identities satisfies the security policy requirements;
      
      the user selecting one of the user identities determined to satisfy the security policy requirements;
      
      upon a user selection drawn from the first user identities, the host computing system generating a token request based on the selected user identity, communicating the token request to the user computing device, and receiving the security token generated thereby; and
      
      upon a user selection drawn from the second user identities, the host computing system generating a token request based on the selected user identity, communicating the token request to the identity provider associated with the selected user identity, and receiving any security token issued by the identity provider occurring in response to the token request.

16. A computer-readable medium having computer-executable instructions for execution by a processor, that, when executed, cause the processor to:
- receive a token request in reference to one of a plurality of user identities, the plurality of user identities located on the medium; and
  
  generate a security token in accordance with the token request.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer-readable medium of claim 16, wherein the instructions further cause the processor to:
    - associate each user identity with at least one user attribute located on the medium; and
      
      generate the security token using any user attribute associated with the user identity referenced by the token request.
  - 18. The computer-readable medium of claim 16, wherein the instructions further cause the processor to:
    - receive a determination specifying whether any of the user identities satisfies requirements of a security policy; and
      
      export any user identity determined to satisfy requirements of the security policy.
  - 19. The computer-readable medium of claim 18, wherein the instructions further cause the processor to:
    - receive a token request made in connection with user selection of one of the exported user identities; and
      
      generate a security token in accordance with the token request relating to the user identity selection.
  - 20. The computer-readable medium of claim 16, wherein the instructions further cause the processor to:
    - export at least one user identity;
      
      receive a token request relative to one of the exported identities; and
      
      issue a security token based on the token request, using user attribute information associated with the user identities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Open Invention Network LLC
Inventors
Ahn, Gail-Joon

Granted Patent

US 8,850,548 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USER-PORTABLE DEVICE AND METHOD OF USE IN A USER-CENTRIC IDENTITY MANAGEMENT SYSTEM

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links