User impersonation/delegation in a token-based authentication system

US 20120254957A1
Filed: 03/28/2011
Published: 10/04/2012
Est. Priority Date: 03/28/2011
Status: Active Grant

First Claim

Patent Images

1. A method, operable within a trusted service, of enabling access to an application executing in a computing entity, comprising:

establishing a trust relationship with an identity provider;

requesting a token from the identity provider;

receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential;

on behalf of a user, using the token and a user credential to establish the trusted service as an authenticated user to the application; and

upon establishing the trusted service as an authenticated user, accessing the application.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A “trusted service” establishes a trust relationship with an identity provider and interacts with the identity provider over a trusted connection. The trusted service acquires a token from the identity provider for a given user (or set of users) without having to present the user'"'"'s credentials. The trusted service then uses this token (e.g., directly, by invoking an API, by acquiring another token, or the like) to access and obtain a cloud service on a user'"'"'s behalf even in the user'"'"'s absence. This approach enables background services to perform operations within a hosted session (e.g., via OAuth-based APIs) without presenting user credentials or even having the user present.

181 Citations

25 Claims

1. A method, operable within a trusted service, of enabling access to an application executing in a computing entity, comprising:
- establishing a trust relationship with an identity provider;
  
  requesting a token from the identity provider;
  
  receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential;
  
  on behalf of a user, using the token and a user credential to establish the trusted service as an authenticated user to the application; and
  
  upon establishing the trusted service as an authenticated user, accessing the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as described in claim 1 wherein the token is used to establish the trusted service as an authenticated user by forwarding the token to a service provider associated with the identity provider and, upon a validation, receiving an authentication session token, the authentication session token indicating that the trusted service is an authenticated user for a session.
  - 3. The method as described in claim 2 wherein the token is a generic token for a set of authorized users.
  - 4. The method as described in claim 3 wherein the validation checks to determine that the user credential is associated with the generic token.
  - 5. The method as described in claim 2 wherein the token is a specific token for an authorized user.
  - 6. The method as described in claim 5 wherein the validation identifies a username associated with the specific token and verifies that the username matches the user credential.
  - 7. The method as described in claim 2 wherein the validation is performed at least in part by the identity provider.
  - 8. The method as described in claim 1 wherein the computing entity is a shared pool of configurable computing resources.
  - 9. The method as described in claim 1 wherein the trusted service accesses the application using an OAuth-based application programming interface (API).

10. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method of enabling access to an application executing in a computing entity, the method comprising;
  
  establishing a trust relationship with an identity provider;
  
  requesting a token from the identity provider;
  
  receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential;
  
  on behalf of a user, using the token and a user credential to obtain an authenticated user identity by which the user can be impersonated to the application; and
  
  upon receiving the authenticated user identity, accessing the application.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The apparatus as described in claim 10 wherein the token is used by forwarding the token to a service provider associated with the identity provider and, upon a validation, receiving the authenticated user identity.
  - 12. The apparatus as described in claim 11 wherein the token is a generic token for a set of authorized users.
  - 13. The apparatus as described in claim 12 wherein the validation checks to determine that the user credential is associated with the generic token.
  - 14. The apparatus as described in claim 11 wherein the token is a specific token for an authorized user.
  - 15. The apparatus as described in claim 14 wherein the validation identifies a username associated with the specific token and verifies that the username matches the user credential.

16. A computer program product in a computer readable medium for use in a data processing system, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method of enabling access to an application executing in a computing entity, the method comprising:
- establishing a trust relationship with an identity provider;
  
  requesting a token from the identity provider;
  
  receiving the token from the identity provider, the token having been generated by the identity provider without requiring a user credential;
  
  on behalf of a user, using the token and a user credential to obtain an authenticated user identity by which the user can be impersonated to the application; and
  
  upon receiving the authenticated user identity, accessing the application.
- View Dependent Claims (17, 18, 19)
- - 17. The computer program product as described in claim 16 wherein the token is used by forwarding the token to a service provider associated with the identity provider and, upon a validation, receiving the authenticated user identity.
  - 18. The computer program product as described in claim 17 wherein the token is a generic token for a set of authorized users.
  - 19. The computer program product as described in claim 18 wherein the validation checks to determine that the user credential is associated with the generic token.

20. The computer program product as described in 17 wherein the token is a specific token for an authorized user.
- View Dependent Claims (21)
- - 21. The computer program product as described in claim 20 wherein the validation identifies a username associated with the specific token and verifies that the username matches the user credential.

22. An identity provider apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions executed by the processor to perform a method, comprising;
  
  establishing a trust relationship with a trusted service over a trusted connection;
  
  receiving from the trusted service a request for a token;
  
  generating the token without requiring a user credential; and
  
  returning the token to the trusted service to enable the trusted service to impersonate a user by using the token and a user credential to obtain an authenticated user identity.
- View Dependent Claims (23, 24, 25)
- - 23. The identity provider apparatus as described in claim 22 wherein the method further includes, at a subsequent time, receiving the token and performing a validation.
  - 24. The identity provider apparatus as described in claim 23 wherein the token is a generic token for a set of authorized users and the validation checks to determine that the user credential is associated with the generic token.
  - 25. The identity provider apparatus as described in claim 23 wherein the token is a specific token for an authorized user, and the validation identifies a username associated with the specific token and verifies that the username matches the user credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Price, Vincent Edmund, Fork, Michael John

Granted Patent

US 9,497,184 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

G06F 2221/2115   Third party

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0823   using certificates cryptogr...

H04L 63/083   using passwords cryptograph...

H04L 63/0884   by delegation of authentica...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3234   involving additional secure...

User impersonation/delegation in a token-based authentication system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

181 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

User impersonation/delegation in a token-based authentication system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links