HOME REALM DISCOVERY IN MIXED-MODE FEDERATED REALMS

US 20130117826A1
Filed: 11/09/2011
Published: 05/09/2013
Est. Priority Date: 11/09/2011
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising one or more computer storage media having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause an application to perform a method for authenticating identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising:

an act of responding to requests for service from valid identities in the realm that are to be authenticated by direct authentication with a direct authentication interface;

an act of responding to requests for service from valid identities in the realm that are to be authenticated by federated authentication with a federated authentication interface; and

an act of responding to requests for service from invalid identities pseudo-randomly with either the direct authentication interface or the federated authentication interface.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Citations

20 Claims

1. A computer program product comprising one or more computer storage media having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause an application to perform a method for authenticating identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising:
- an act of responding to requests for service from valid identities in the realm that are to be authenticated by direct authentication with a direct authentication interface;
  
  an act of responding to requests for service from valid identities in the realm that are to be authenticated by federated authentication with a federated authentication interface; and
  
  an act of responding to requests for service from invalid identities pseudo-randomly with either the direct authentication interface or the federated authentication interface.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer program product in accordance with claim 1, wherein the method is performed by a service provider or application.
  - 3. The computer program product in accordance with claim 2, wherein the federated authentication interface prompts a user to negotiate authentication with a third-party identity provider to receive credentials that may then be provided back to the service provider or application.
  - 4. The computer program product in accordance with claim 3, wherein the third-party identity provider is an enterprise identity provider.
  - 5. The computer program product in accordance with claim 3, wherein the third-party identity provider is a consumer identity provider.
  - 6. The computer program product in accordance with claim 1, wherein each of the three acts of responding take approximately the same amount of time.
  - 7. The computer program product in accordance with claim 1, wherein the act of responding to requests for service from invalid identities pseudo-randomly results in the same determination for any given invalid entity each time a request is made on behalf of the invalid identity.
  - 8. The computer program product in accordance with claim 1, the act of responding to requests for service from invalid identities pseudo-randomly comprises the following for each of such requests for service from invalid identities:
    - an act of encrypting the invalid identity;
      
      an act of hashing the encryption of the invalid identity; and
      
      an act of determining whether to respond with a direct authentication interface or a federated authentication interface based on the hash result of the invalid identity.

9. A computer-implemented method for authenticating identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising:
- an act of receiving a first request for service associated with a first identity in a realm;
  
  an act of determining that the first identity is a valid identity and is one of a plurality of identities in the realm that are to be authenticated by direct authentication;
  
  an act of responding to the first request for service with a direct authentication interface;
  
  an act of receiving a second request for service associated with a second identity in the realm;
  
  an act of determining that the second identity is a valid identity and is one of a plurality of identities in the realm that are to be authenticated by federated authentication;
  
  an act of responding to the second request for service with a federated authentication interface;
  
  an act of receiving a third request for service associated with a third identity in the realm;
  
  an act of determining that the third identity is not a valid identity;
  
  an act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface; and
  
  an act or responding to the third request for service with the determined authentication interface.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The method in accordance with claim 9, wherein the act of responding to the first request, the act of responding to the second request, and the act of responding to the third request take approximately the same amount of time.
  - 11. The method in accordance with claim 10, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in the same determination each time a request is made on behalf of the invalid identity.
  - 12. The method in accordance with claim 11, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in an aggregated proportion of determination that is approximately the same as a proportion the number of the plurality of identities in the realm that are to be authenticated by direct authentication to the number of the plurality of identities in the realm that are to be authenticated by federated authentication.
  - 13. The method in accordance with claim 9, wherein the act of responding to the first request, the act of responding to the second request, and the act of responding to the third request take approximately the same amount of time such that it cannot be inferred based on the timing of the response whether the identity is a valid identity or an invalid identity.
  - 14. The method in accordance with claim 9, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in the same determination each time a request is made on behalf of the invalid identity.
  - 15. The method in accordance with claim 9, wherein the act of pseudo-randomly determining comprises:
    - an act of hashing the third identity; and
      
      an act of determining whether to respond with a direct authentication interface or a federated authentication interface based on the hash result of the third identity.
  - 16. The method in accordance with claim 9, wherein the act of pseudo-randomly determining comprises:
    - an act of encrypting the third identity;
      
      an act of hashing the encryption of the third identity; and
      
      an act of determining whether to respond with a direct authentication interface or a federated authentication interface based on the hash result of the third identity.
  - 17. The method in accordance with claim 16, wherein the act of encrypting is performed using an encryption key that is not specific to the realm.
  - 18. The method in accordance with claim 16, wherein the act of encrypting is performed using an encryption key that is specific to the realm.
  - 19. The method in accordance with claim 9, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in an aggregated proportion of determination that is approximately the same as a proportion the number of the plurality of identities in the realm that are to be authenticated by direct authentication to the number of the plurality of identities in the realm that are to be authenticated by federated authentication.

20. A computer program product comprising one or more computer storage media having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause an application to perform a method for a service provider or application authenticating identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising:
- an act of responding to requests for service from valid identities in the realm that are to be authenticated by direct authentication with a direct authentication interface;
  
  an act of responding to requests for service from valid identities in the realm that are to be authenticated by federated authentication with a federated authentication interface, wherein the federated authentication interface prompts a user to negotiate authentication with a third-party identity provider to receive credentials that may then be provided back to the service provider or application; and
  
  an act of responding to requests for service from invalid identities pseudo-randomly with either the direct authentication interface or the federated authentication interface, wherein the act of responding to requests for service from invalid identities pseudo-randomly results in the same determination for any given invalid entity each time a request is made on behalf of the invalid identity, the act of responding to requests for service from invalid identities pseudo-randomly comprises the following for each of such requests for service from invalid identities;
  
  an act of encrypting the invalid identity;
  
  an act of hashing the encryption of the invalid identity; and
  
  an act of determining whether to respond with a direct authentication interface or a federated authentication interface based on the hash result of the invalid identity,wherein each of the three acts of responding take approximately the same amount of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gordon, Ariel, Nicholson, David J.

Granted Patent

US 8,601,554 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/31 User authentication

H04L 63/08 for authentication of entit...

HOME REALM DISCOVERY IN MIXED-MODE FEDERATED REALMS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

HOME REALM DISCOVERY IN MIXED-MODE FEDERATED REALMS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links