Secure configuration catalog of trusted identity providers

US 20140068743A1
Filed: 08/30/2012
Published: 03/06/2014
Est. Priority Date: 08/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for enabling access to a protected resource, comprising:

in association with a service provider, maintaining a catalog of information identifying one or more identity providers that are trusted by a service provider, the service provider executing on a data processing machine having a hardware element;

upon receipt by the service provider of identity information representing a user that has authenticated to an identity provider, determining, using information in the catalog of information, whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf; and

if the identity provider is trusted, permitted the user to access the protected resource.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP'"'"'s behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider'"'"'s behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

Citations

21 Claims

1. A method for enabling access to a protected resource, comprising:
- in association with a service provider, maintaining a catalog of information identifying one or more identity providers that are trusted by a service provider, the service provider executing on a data processing machine having a hardware element;
  
  upon receipt by the service provider of identity information representing a user that has authenticated to an identity provider, determining, using information in the catalog of information, whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf; and
  
  if the identity provider is trusted, permitted the user to access the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as described in claim 1 wherein the determining step uses the information in the catalog to verify that the service provider uses the identity provider and that a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid.
  - 3. The method as described in claim 2 wherein the cryptographic artifact is a digital certificate associated with the identity provider.
  - 4. The method as described in claim 1 wherein the identity information is a SAML assertion.
  - 5. The method as described in claim 1 further including restricting write access to the catalog of information.
  - 6. The method as described in claim 1 wherein the catalog of information comprises a discrete and secure configuration document associated with each identity provider.
  - 7. The method as described in claim 1 wherein the method further comprises:
    - receiving a request to access the protected resource;
      
      using information in the catalog to locate a configuration that corresponds to a website associated with the protected resource; and
      
      redirecting to the website to enable the user to be authenticated at the identity provider.

8. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method for enabling access to a protected resource, the method comprising;
  
  in association with a service provider, maintaining a catalog of information identifying one or more identity providers that are trusted by a service provider;
  
  upon receipt by the service provider of identity information representing a user that has authenticated to an identity provider, determining, using information in the catalog of information, whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf; and
  
  if the identity provider is trusted, permitted the user to access the protected resource.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The apparatus as described in claim 8 wherein the determining step uses the information in the catalog to verify that the service provider uses the identity provider and that a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid.
  - 10. The apparatus as described in claim 9 wherein the cryptographic artifact is a digital certificate associated with the identity provider.
  - 11. The apparatus as described in claim 8 wherein the identity information is a SAML assertion.
  - 12. The apparatus as described in claim 8 wherein the method further includes restricting write access to the catalog of information.
  - 13. The apparatus as described in claim 8 wherein the catalog of information comprises a discrete and secure configuration document associated with each identity provider.
  - 14. The apparatus as described in claim 8 wherein the method further comprises:
    - receiving a request to access the protected resource;
      
      using information in the catalog to locate a configuration that corresponds to a website associated with the protected resource; and
      
      redirecting to the website to enable the user to be authenticated at the identity provider.

15. A computer program product in a non-transitory computer readable medium for use in a data processing system for providing identity provider services using an identity provider instance discovery service, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method for enabling access to a protected resource, the method comprising:
- in association with a service provider, maintaining a catalog of information identifying one or more identity providers that are trusted by a service provider;
  
  upon receipt by the service provider of identity information representing a user that has authenticated to an identity provider, determining, using information in the catalog of information, whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf; and
  
  if the identity provider is trusted, permitted the user to access the protected resource.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer program product as described in claim 15 wherein the determining step uses the information in the catalog to verify that the service provider uses the identity provider and that a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid.
  - 17. The computer program product as described in claim 16 wherein the cryptographic artifact is a digital certificate associated with the identity provider.
  - 18. The computer program product as described in claim 15 wherein the identity information is a SAML assertion.
  - 19. The computer program product as described in claim 15 wherein the method further includes restricting write access to the catalog of information.
  - 20. The computer program product as described in claim 15 wherein the catalog of information comprises a discrete and secure configuration document associated with each identity provider.
  - 21. The computer program product as described in claim 15 wherein the method further comprises:
    - receiving a request to access the protected resource;
      
      using information in the catalog to locate a configuration that corresponds to a website associated with the protected resource; and
      
      redirecting to the website to enable the user to be authenticated at the identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Workday Incorporated
Original Assignee
International Business Machines Corporation
Inventors
Marcus, Jane B., Eldridge, Alan D., Kern, David Scott, Mancuso, Patrick Charles, Paganetti, Robert John, Kerrigan, Michael J.

Granted Patent

US 9,690,920 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/8
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

Secure configuration catalog of trusted identity providers

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Secure configuration catalog of trusted identity providers

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links