IDENTITY ASSERTION FRAMEWORK

US 20120216268A1
Filed: 02/17/2011
Published: 08/23/2012
Est. Priority Date: 02/17/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a first security token service configured to receive a request for a first token from a consumer and to issue the first token to the consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain;

a service provider, implemented using one or more processors, within a second security domain to receive the first token and make a determination whether the first token is invalid in the second security domain; and

a second security token service to receive the first token from the service provider if the first token is valid in the second security domain, to make a determination whether the first token was issued by the first security token service, and to validate the first token according to a federation policy between the first security domain and the second security domain.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service (STS) is configured to receive a request for a first token from a consumer and to issue the first token to the consumer. The first STS is associated with a first security domain, and the first token is issued according to a first issuing policy of the first security domain. A service provider within a second security domain receives the first token and makes a determination whether the first token is invalid in the second security domain. A second STS receives the first token from the service provider, determines that the first token was issued by the first STS, and validates the first token according to a federation policy between the first security domain and the second security domain.

Citations

20 Claims

1. A system comprising:
- a first security token service configured to receive a request for a first token from a consumer and to issue the first token to the consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain;
  
  a service provider, implemented using one or more processors, within a second security domain to receive the first token and make a determination whether the first token is invalid in the second security domain; and
  
  a second security token service to receive the first token from the service provider if the first token is valid in the second security domain, to make a determination whether the first token was issued by the first security token service, and to validate the first token according to a federation policy between the first security domain and the second security domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1, further comprising a central authority, the central authority to manage the federation policy.
  - 3. The system of claim 2, wherein the second security token service is a token authenticator within the central authority.
  - 4. The system of claim 2, wherein the central authority is configured to issue a federation token, the federation token being valid to the service provider in the second security domain and to another service provider in the first security domain.
  - 5. The system of claim 1, wherein the second security token service is within the second security domain.
  - 6. The system of claim 5, wherein the second security token service is to issue a second token to the consumer according to the federation policy, the second token issued according to a second issuing policy of the second security domain.
  - 7. The system of claim 1, further comprising an identity provider to perform an initial authentication of the consumer.
  - 8. The system of claim 7, wherein the second security token service is to resolve the first issuing policy and a second issuing policy within a federation using a key identifying the first security domain and the identity provider.
  - 9. The system of claim 1, further comprising a key to identify the service provider.
  - 10. The system of claim 1, wherein the service provider is to authenticate the first token based on a policy associated with the second security domain.

11. A method comprising:
- at a first security token service, issuing a first token to a consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain;
  
  at a second security token service, receiving the first token from a service provider in a second security domain;
  
  at the second security token service, determining that the first token was issued by the first security token service; and
  
  at the second security token service, validating the first token according to a federation policy between the first security domain and the second security domain.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising managing the federation policy at a central authority.
  - 13. The method of claim 12, further comprising, at the central authority, issuing a federation token, the federation token being valid to the service provider in the second security domain and to another service provider in the first security domain.
  - 14. The method of claim 11, further comprising arranging the second security token service to be located within the second security domain.
  - 15. The method of claim 14, further comprising, at the second security token service, issuing a second token to the consumer according to the federation policy, the second token issued according to a second issuing policy of the second security domain.
  - 16. The method of claim 11, further comprising, at an identity provider, performing an initial authentication of the consumer.
  - 17. The method of claim 16, further comprising resolving the first issuing policy and a second issuing policy within a federation using a key identifying the first security domain and the identity provider.
  - 18. The method of claim 11, further comprising identifying the service provider using a key.
  - 19. The method of claim 11, further comprising, at the service provider, authenticating the first token based on a policy associated with the second security domain.

20. A non-transitory computer-readable medium, the non-transitory computer readable medium comprising instructions executable by one or more processors that when executed by the one or more processors, cause the one or more processors to perform a method comprising:
- at a first security token service, issuing a first token to a consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain;
  
  at a second security token service, receiving the first token from a service provider in a second security domain;
  
  at the second security token service, determining that the first token was issued by the first security token service; and
  
  at the second security token service, validating the first token according to a federation policy between the first security domain and the second security domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eBay Inc.
Original Assignee
eBay Inc.
Inventors
Kassaei, Farhang, Travostino, Franco, Deshmukh, Neeti, Johnson, Peter, Khanna, Sachin, Bahety, Anand, Antony, Benoy

Granted Patent

US 8,990,557 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/20   for managing network securi...

H04L 9/3234   involving additional secure...

IDENTITY ASSERTION FRAMEWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY ASSERTION FRAMEWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links