FEDERATED REALM DISCOVERY

US 20090320116A1
Filed: 06/19/2008
Published: 12/24/2009
Est. Priority Date: 06/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method of obtaining a security token for accessing a network service within a federation, the network service residing outside a home realm of a security principal, the method comprising:

obtaining a system security token via an authentication request to directory services using domain-joined credentials, the domain-joined credentials including a security principal identifier;

receiving a partner security token in response to a request for authentication transmitted to a home security authority of the security principal, the request including the system security token;

submitting the partner security token to a non-home security authority associated with a network service without presenting a login user interface of the non-home security authority to the security principal;

receiving from the non-home security authority the security token for accessing the network service in response to the submission of the partner security token to the non-home security authority.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user'"'"'s credentials before the user'"'"'s secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user'"'"'s home realm and provide realm information directing the user device to login at the home realm.

38 Citations

View as Search Results

20 Claims

1. A method of obtaining a security token for accessing a network service within a federation, the network service residing outside a home realm of a security principal, the method comprising:
- obtaining a system security token via an authentication request to directory services using domain-joined credentials, the domain-joined credentials including a security principal identifier;
  
  receiving a partner security token in response to a request for authentication transmitted to a home security authority of the security principal, the request including the system security token;
  
  submitting the partner security token to a non-home security authority associated with a network service without presenting a login user interface of the non-home security authority to the security principal;
  
  receiving from the non-home security authority the security token for accessing the network service in response to the submission of the partner security token to the non-home security authority.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - identifying the home security authority of the security principal based on at least a portion of the security principal identifier received in the domain-joined credentials;
  - 3. The method of claim 2 wherein the identifying operation comprises:
    - identifying the home security authority of the security principal in a local realm list datastore using the at least a portion of the security principal identifier.
  - 4. The method of claim 2 wherein the identifying operation comprises:
    - submitting the at least a portion of the security principal identifier to a security authority of directory services within the federation;
      
      receiving from the security authority of the directory services realm information identifying the home security authority of the security principal from a realm list datastore accessible to the security authority of the directory services.
  - 5. The method of claim 1 further comprising:
    - authenticating the security principal with a security authority of directory services in the federation using the domain-joined user credentials of the security principal, prior to receiving the partner security token.
  - 6. The method of claim 1 further comprising:
    - presenting to the security principal a login user interface associated with directory services.
  - 7. The method of claim 1 further comprising:
    - requesting authentication transmitted to the identified home security authority of the security principal based on the system security token, prior to receiving the partner security token.
  - 8. The method of claim 1 further comprising:
    - storing the partner security token in a user device used to access the network service, responsive to receiving the partner security token.

9. A computer-readable storage medium having computer-executable instructions for performing a computer process that obtains a security token for accessing a network service within a federation, the network service residing outside a home realm of a security principal, the computer process comprising:
- obtaining a system security token via an authentication request to directory services using domain-joined credentials, the domain-joined credentials including a security principal identifier;
  
  identifying a home security authority of the security principal based on at least a portion of the security principal identifier received in the domain-joined credentials;
  
  receiving a partner security token in response to a request for authentication transmitted to the identified home security authority of the security principal, the request including the system security token;
  
  submitting the partner security token to a non-home security authority associated with a network service without presenting a login user interface of the non-home security authority to the security principal;
  
  receiving from the non-home security authority the security token for accessing the network service in response to the submission of the partner security token to the non-home security authority.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The computer-readable storage medium of claim 9 wherein the obtaining operation comprises:
    - signing into directory services through a login user interface using domain-joined credentials.
  - 11. The computer-readable storage medium of claim 9 wherein the identifying operation comprises:
    - identifying the home security authority of the security principal in a local realm list datastore using the at least a portion of the security principal identifier.
  - 12. The computer-readable storage medium of claim 9 wherein the identifying operation comprises:
    - submitting the at least a portion of the security principal identifier to a security authority of directory services within the federation;
      
      receiving from the security authority of the directory services realm information identifying the home security authority of the security principal from a realm list datastore accessible to the security authority of the directory services.
  - 13. The computer-readable storage medium of claim 9 wherein the computer process comprises:
    - authenticating the security principal with a security authority of directory services in the federation using the domain-joined user credentials of the security principal, prior to receiving the partner security token.
  - 14. The computer-readable storage medium of claim 9 wherein the computer process comprises:
    - presenting to the security principal a login user interface associated with directory services.
  - 15. The computer-readable storage medium of claim 9 wherein the computer process comprises:
    - requesting authentication transmitted to the identified home security authority of the security principal based on the system security token, prior to receiving the partner security token.
  - 16. The computer-readable storage medium of claim 9 wherein the computer process comprises:
    - storing the partner security token in a user device used to access the network service, responsive to receiving the partner security token.

17. A computer-readable storage medium having computer-executable instructions for performing a computer process that identifies a home security authority for authenticating a security principal within a federation, the computer process comprising:
- receiving at a non-home security authority a request from a security principal requesting identification of the home security authority of the security principal based on at least a portion of a security principal identifier of the security principal;
  
  evaluating a realm list providing one or more mappings between security principal identifiers or portions thereof and realm information, the realm information identifying the home security authority corresponding to the security principal identifier or portion thereof;
  
  sending from the non-home security authority to the security principal an identification of the home security authority of the security principal corresponding to the security principal identifier or a portion thereof that matches the at least a portion of the security principal identifier of the security principal.
- View Dependent Claims (18, 19, 20)
- - 18. The computer-readable storage medium of claim 17 wherein the non-home security authority and the home security authority are members of the federation.
  - 19. The computer-readable medium of claim 17 wherein a secret credential of the security principal is not received by the non-home security authority with the request.
  - 20. The computer-readable medium of claim 17 wherein the identification of the home security authority of the security principal includes a uniform resource locator to the home security authority.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Ayres, Lynn, Guo, Wei-Qiang, Faulkner, Sarah, Rouskov, Yordan, Chen, Rui

Granted Patent

US 8,544,074 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/41   where a single sign-on prov...

G06F 21/606   by securing the transmissio...

G06F 21/6209   to a single file or object,...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/101   Access control lists [ACL]

H04L 9/3234   involving additional secure...

FEDERATED REALM DISCOVERY

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FEDERATED REALM DISCOVERY

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links