CLAIMS-BASED AUTHORIZATION AT AN IDENTITY PROVIDER

US 20100299738A1
Filed: 05/19/2009
Published: 11/25/2010
Est. Priority Date: 05/19/2009
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

generating a claim at an identity provider using one or more processors of the identity provider, the claim including an indicator that specifies access rights of a first entity with respect to a first relying party; and

providing the indicator to the first relying party to enable the first relying party to determine whether the first entity is authorized to utilize a service provided by the first relying party.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described herein for managing access to services (e.g., Web sites, applications, results of executable operations, etc.) that are provided by relying parties. A relying party is a processing system that relies on an identity provider to authenticate an entity (e.g., user or software application) that attempts to access a service provided by the relying party. The identity provider is a processing system that is configured to perform authentication and authorization operations with respect to the entity. The identity provider generates a claim that indicates access rights of the entity with respect to the relying party. The identity provider provides the claim to the relying party via a user system or via a direct or indirect link that bypasses the user system. The relying party determines whether to allow the entity to access the service based on the access rights indicated by the claim.

Citations

20 Claims

1. A method comprising:
- generating a claim at an identity provider using one or more processors of the identity provider, the claim including an indicator that specifies access rights of a first entity with respect to a first relying party; and
  
  providing the indicator to the first relying party to enable the first relying party to determine whether the first entity is authorized to utilize a service provided by the first relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the first entity is a user.
  - 3. The method of claim 1, wherein the first entity is a software application.
  - 4. The method of claim 1, wherein providing the indicator includes providing the indicator to the first relying party via a user system communicatively coupled between the identity provider and the first relying party.
  - 5. The method of claim 1, further comprising:
    - authenticating the first entity at the identity provider;
      
      wherein providing the indicator to the first relying party is performed in response to authenticating the first entity at the identity provider.
  - 6. The method of claim 1, further comprising:
    - generating an encrypted token that includes the claim;
      
      wherein providing the indicator includes providing the encrypted token to the first relying party.
  - 7. The method of claim 1, further comprising:
    - determining the access rights of the first entity with respect to the first relying party based on a management policy rule that associates the access rights with a relationship between a set of entities that includes the first entity and a set of relying parties that includes the first relying party.
  - 8. The method of claim 7, further comprising:
    - defining the set of entities based on a role associated with the entities.
  - 9. The method of claim 7, further comprising:
    - defining the set of relying parties based on a risk level associated with the relying parties.
  - 10. The method of claim 1, further comprising:
    - generating a second claim at the identity provider that includes a second indicator specifying a workflow definition designating at least one operation that when executed facilitates the first entity obtaining access to the service provided by the first relying party; and
      
      providing the second indicator to the first relying party to enable the first relying party to inform the first entity of the workflow definition in response to the first entity being denied access to the service provided by the first relying party.
  - 11. The method of claim 10, further comprising:
    - in response to performance of the at least one operation, generating a revised claim or a new claim at the identity provider, the revised claim or the new claim including a revised indicator that specifies revised access rights of the first entity with respect to the first relying party, the revised access rights indicating that the first entity is authorized to access the service provided by the first relying party.
  - 12. The method of claim 1, further comprising:
    - generating a revised claim or a new claim at the identity provider, the revised claim or the new claim including a revised indicator that indicates revised access rights of the first entity with respect to the first relying party, in response to a change in an attribute of the first entity.

13. A method comprising:
- receiving an indicator from an identity provider at a relying party, the indicator specifying access rights of an entity with respect to the relying party; and
  
  determining at the relying party, using one or more processors of the relying party, whether the entity is authorized to utilize a service provided by the relying party based on the indicator.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13, wherein the entity is a user.
  - 15. The method of claim 13, wherein the entity is a software application.
  - 16. The method of claim 13, wherein receiving the indicator includes receiving the indicator at the relying party from the identity provider via a user system.
  - 17. The method of claim 13, wherein receiving the indicator at the relying party is performed in response to the entity being authenticated by the identity provider.

18. An identity provider comprising:
- an authentication module configured to authenticate an entity;
  
  a claim generation module configured to generate a claim that includes an indicator that specifies access rights of the entity with respect to a relying party; and
  
  an indicator providing module configured to provide the indicator to the relying party to enable the relying party to determine whether the entity is authorized to utilize a service provided by the relying party.
- View Dependent Claims (19, 20)
- - 19. The identity provider of claim 18, wherein the claim generation module is further configured to generate a second claim that includes a second indicator specifying a workflow definition designating at least one operation that when executed facilitates the entity obtaining access to the service provided by the relying party;
    - andwherein the indicator providing module is further configured to provide the second indicator to the relying party to enable the relying party to inform the entity of the workflow definition.
  - 20. The identity provider of claim 19, wherein the claim generation module is further configured to generate a revised claim or a new claim that includes a revised indicator that specifies revised access rights of the entity that authorize the entity to access the service provided by the relying party based on performance of the at least one operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Wahl, Mark

Application Number

US12/468,065
Publication Number

US 20100299738A1
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/305   by remotely controlling dev...

G06F 21/33   using certificates

G06F 21/335   for accessing specific reso...

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/102   Entity profiles

H04L 9/3213   using tickets or tokens, e....

CLAIMS-BASED AUTHORIZATION AT AN IDENTITY PROVIDER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CLAIMS-BASED AUTHORIZATION AT AN IDENTITY PROVIDER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links