USING CACHED SECURITY TOKENS IN AN ONLINE SERVICE

US 20120131660A1
Filed: 11/23/2010
Published: 05/24/2012
Est. Priority Date: 11/23/2010
Status: Active Grant

First Claim

Patent Images

1. A method for using cached security tokens in an online service, comprising:

receiving a request over a network from a client for a resource of the online service;

wherein the request comprises an identity claim that identifies a security token that is stored in a location that is separate from the request;

using the identity claim in the request to access the security token that is stored in a memory of the online service; and

using the accessed security token to determine when to provide the resource to the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security token service generates a security token for a user that is associated with a client and stores the full security token within a memory. The security token includes an identity claim that represents the identity of the generated security token. Instead of passing the entire security token back to the client, the identity claim is returned to the client. For each request the client makes to the service, the client passes the identity claim in the request instead of the full security token having all of the claims. The identity claim is much smaller then the full security token. When a computing device receives the identity claim within the request from the user, the identity claim is used to access the full security token that is stored in memory.

39 Citations

View as Search Results

20 Claims

1. A method for using cached security tokens in an online service, comprising:
- receiving a request over a network from a client for a resource of the online service;
  
  wherein the request comprises an identity claim that identifies a security token that is stored in a location that is separate from the request;
  
  using the identity claim in the request to access the security token that is stored in a memory of the online service; and
  
  using the accessed security token to determine when to provide the resource to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising generating a security token for the client and storing the generated security token in the memory;
    - wherein the generated security token comprises claims, wherein at least one of the claims generated is an identity claim that is used in identifying the generated security token.
  - 3. The method of claim 1, wherein storing the generated security token in the memory comprises storing the claims of the security token in binary form in the memory.
  - 4. The method of claim 2, further comprising when the security claim is not found in the memory using the identity claim sending the identity claim to a token issuing authority to generate another security token that is placed in the memory for future requests.
  - 5. The method of claim 1, wherein the memory is at least one of:
    - a cache and a distributed cache.
  - 6. The method of claim 1, wherein the security token is a Security Assertion Markup Language (SAML) token.
  - 7. The method of claim 1, wherein the identity claim comprises UserIdentity+“
    - ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)).
  - 8. The method of claim 1, wherein the identity claim comprises UserIdentity+“
    - ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)),AudienceURI.
  - 9. The method of claim 1, further comprising revoking the identity claim by deleting the associated security token from each memory in which it is stored.

10. A computer-readable storage medium having computer-executable instructions for using cached security tokens for users, comprising:
- receiving a request from a client for a resource that is located within a network;
  
  wherein the request comprises an identity claim that identifies a Security Assertion Markup Language (SAML) token that is stored in a memory that is within the network;
  
  accessing the SAML token using the identity claim that is contained within the received request; and
  
  using the accessed SAML token to determine when to provide the resource to the client.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The computer-readable storage medium of claim 10, further comprising generating a SAML token for the client and storing the generated SAML token in the memory;
    - wherein the generated SAML token comprises claims, wherein at least one of the claims generated is an identity claim that is used in identifying the generated SAML token.
  - 12. The computer-readable storage medium of claim 10, wherein storing the generated SAML token in the memory comprises storing the claims of the SAML token in binary form in the memory.
  - 13. The computer-readable storage medium of claim 11, further comprising when the security claim is not found in the memory using the identity claim sending the identity claim to a token issuing authority to generate another security token that is placed in the memory for future requests.
  - 14. The computer-readable storage medium of claim 10, wherein the memory is at least one of:
    - a cache and a distributed cache that is within the network.
  - 15. The computer-readable storage medium of claim 10, wherein the identity claim comprises one of:
    - UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)) and UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)),AudienceURI.
  - 16. The computer-readable storage medium of claim 10, further comprising revoking the identity claim by deleting the associated SAML token from each memory in which it is stored.

17. A system for routing requests in an online service, comprising:
- a processor and a computer-readable medium;
  
  an operating environment stored on the computer-readable medium and executing on the processor;
  
  a security token service that provides a security token service that is used to generate security tokens for users in a network, wherein the generated security tokens comprise claims, wherein at least one of the claims generated is an identity claim that is used in identifying the generated security token;
  
  wherein the identity claim is returned to the client instead of returning the generated security token;
  
  wherein at least some of the computing devices in the online service are configured to perform actions, comprising;
  
  receiving a request from a client for a resource that is located within the network;
  
  wherein the request comprises an identity claim that identifies a security token that is stored in a memory that is within the network;
  
  accessing the security token within a cache within the network using the identity claim that is contained within the received request; and
  
  using the accessed security token to determine when to provide the resource to the client.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein accessing the security token using the identity claim that is contained within the received request comprises determining a tenancy that is associated with the client and accessing the security token that is associated with the determined tenancy for the client.
  - 19. The system of claim 17, wherein the identity claim comprises one of:
    - UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)) and UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)),AudienceURI.
  - 20. The system of claim 17, further comprising revoking the identity claim by deleting the associated security token from each memory in which it is stored.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Dalzell, Javier, Hopmann, Alexander, Nguyen, Huy

Granted Patent

US 8,850,550 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 9/3213   using tickets or tokens, e....

USING CACHED SECURITY TOKENS IN AN ONLINE SERVICE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

39 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

USING CACHED SECURITY TOKENS IN AN ONLINE SERVICE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

39 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links