TRANSFORMING CLAIM BASED IDENTITIES TO CREDENTIAL BASED IDENTITIES

US 20100154041A1
Filed: 12/16/2008
Published: 06/17/2010
Est. Priority Date: 12/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method to be executed at least in part in a computing device for transforming a claim based identity to a credential based identity, the method comprising:

receiving a claim token issued by a trusted authority in response to a user request at a secure store service;

mapping a credential to a claim based on the token;

storing the credential in a secure manner;

in response to receiving the claim token for each request to access a resource associated with the secure store service, retrieving the credential; and

returning the credential to an originator of the request.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Claim based identities are transformed to a set of credentials and securely stored in a secure data store using a number of encryption schemes. The credentials are then used to authenticate applications requiring specific credential types. For each call to the secure store system, a client application may provide a claims token issued by a trusted source, which is used to search for corresponding credentials in the secure data store if the credentials have been created previously for the user.

Citations

20 Claims

1. A method to be executed at least in part in a computing device for transforming a claim based identity to a credential based identity, the method comprising:
- receiving a claim token issued by a trusted authority in response to a user request at a secure store service;
  
  mapping a credential to a claim based on the token;
  
  storing the credential in a secure manner;
  
  in response to receiving the claim token for each request to access a resource associated with the secure store service, retrieving the credential; and
  
  returning the credential to an originator of the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein a trust between the trusted authority and the secure store service is established based on a predefined process included in a claim specification.
  - 3. The method of claim 1, wherein issuance of the claim token is transparent to the user and handled by a collaboration service framework.
  - 4. The method of claim 3, further comprising:
    - employing Secure Socket Layer (SSL) protocol to secure the credential between the secure store service and the collaboration framework.
  - 5. The method of claim 1, wherein the claim token is a Security Assertions Markup Language (SAML) token.
  - 6. The method of claim 1, wherein the credential is created based on a Single Sign-On (SSO) claim based identity without relying on dependencies of underlying SSO architecture.
  - 7. The method of claim 1, wherein storing the credential based on the token includes encrypting the credential employing a master key.
  - 8. The method of claim 7, further comprising:
    - synchronizing the master key to each new secure store service instance; and
      
      synchronizing the master key to a change in a secure store service account associated with the user.
  - 9. The method of claim 1, wherein the master key is generated after the secure store service is provisioned.

10. A computer-readable storage medium with instructions stored thereon for transforming a claim based identity to a credential based identity, the instructions comprising:
- receiving a claim at a Secure Token Service (STS);
  
  providing a token upon authenticating the claim;
  
  receiving the token at a Secure Store Service (SSS), wherein the SSS has a trust relationship with the STS established based on a claim specification;
  
  mapping a credential to the claim based on the token;
  
  encrypting the credential using a master key; and
  
  storing the encrypted credential for use in authorization of subsequent requests for access by a user associated with the claim through providing the credential mapped to the claim.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The computer-readable storage medium of claim 10, wherein a plurality of credentials are mapped and stored based on the claim to provide to the user for authentication to a plurality of applications.
  - 12. The computer-readable storage medium of claim 10, wherein the master key is further utilized to at least one of:
    - backing up and restoring a secure data store containing the credential.
  - 13. The computer-readable storage medium of claim 10, wherein the instructions further comprise:
    - encrypting the master key with a pass phrase; and
      
      storing the encrypted master key along with the encrypted credential.
  - 14. The computer-readable storage medium of claim 13, wherein the pass phrase is provided by an SSS administrator and not stored within a system associated with the secure store service.

15. A system for transforming a claim based identity to a credential based identity, the system comprising:
- a Security Token Service (STS) executed on a web server for receiving a request for a claim token from a client application and providing the claim token to the client application upon authentication of a user associated with the claim;
  
  an application server including a memory and a processor coupled to the memory, the processor configured to execute a Secure Store Service (SSS) that includes;
  
  an SSS application for;
  
  mapping credentials to the claim based on received claim tokens;
  
  in response to receiving a request for access to a resource, searching for stored credentials corresponding to a claim token associated with a user submitting the request and providing the stored credentials to the user;
  
  a credential manager for;
  
  receiving and associating the credentials mapped to the claim with applications;
  
  a key manager for;
  
  encrypting the credentials for storing using a master key;
  
  encrypting the master key using an administrator provided pass phrase, wherein the encrypted master key is stored along with the encrypted credentials; and
  
  a secure data store for storing the encrypted credentials and the master key, wherein the secure data store is managed by the application server.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system of claim 15, wherein the credential manager is further configured to:
    - support ticketing for requests where a submitter of the requests and an authorized user associated with the request are distinct.
  - 17. The system of claim 15, wherein a SSS proxy is utilized to exchange claim tokens and credentials between the client application and the SSS.
  - 18. The system of claim 15, wherein the SSS further includes:
    - an application manager for;
      
      enabling a user to at least one from a set of;
      
      create, read, and delete an application.
  - 19. The system of claim 15, wherein the SSS is part of a hosted service providing a plurality of resources to authorized users.
  - 20. The system of claim 19, wherein the plurality of resources includes at least one from a set of:
    - access to data, access to printing resources, access to storage resources, access to computation resources, and access to communication resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dalzell, Javier, Varkey, Saji, Raj, Kaushik

Granted Patent

US 8,296,828 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

TRANSFORMING CLAIM BASED IDENTITIES TO CREDENTIAL BASED IDENTITIES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRANSFORMING CLAIM BASED IDENTITIES TO CREDENTIAL BASED IDENTITIES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links