TRUSTED THIRD PARTY CLIENT AUTHENTICATION

US 20140075188A1
Filed: 09/11/2012
Published: 03/13/2014
Est. Priority Date: 09/11/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at a video service provider system, a request for an online video session from a third party device with a security markup assertion language (SAML) token as an input, wherein the SAML token is encrypted for the video service provider system and signed by a third party security token service (STS) device, and the third party device is associated with a third party user account;

decrypting a SAML assertion in the SAML token with a private key associated with the video service provider system;

validating the SAML assertion based on a third party public key associated with the third party STS device;

retrieving a third party account user identifier and a device type;

identifying a link time based on the third party account user identifier, wherein the link time is a time that the third party user account was linked with a service provider user account associated with the video service provider system;

identifying a password change time (PCT) stamp associated with the service provider user account; and

providing the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving, at a video service provider system, a request for an online video session from a third party device with a security markup assertion language (SAML) token as an input, decrypting a SAML assertion in the SAML token with a private key associated with the video service provider system, validating the SAML assertion based on a third party public key associated with the third party STS, and retrieving a third party account user identifier and a device type. The method also includes identifying a link time based on the third party account user identifier, identifying a password change time (PCT) stamp associated with the service provider user account, and providing the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.

37 Citations

View as Search Results

20 Claims

1. A computer-implemented method comprising:
- receiving, at a video service provider system, a request for an online video session from a third party device with a security markup assertion language (SAML) token as an input, wherein the SAML token is encrypted for the video service provider system and signed by a third party security token service (STS) device, and the third party device is associated with a third party user account;
  
  decrypting a SAML assertion in the SAML token with a private key associated with the video service provider system;
  
  validating the SAML assertion based on a third party public key associated with the third party STS device;
  
  retrieving a third party account user identifier and a device type;
  
  identifying a link time based on the third party account user identifier, wherein the link time is a time that the third party user account was linked with a service provider user account associated with the video service provider system;
  
  identifying a password change time (PCT) stamp associated with the service provider user account; and
  
  providing the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - providing notification that the third party user account is not linked with the service provider user account in response to determining that the PCT stamp is later than the link time.
  - 3. The computer-implemented method of claim 1, wherein providing the online video session to the third party device further comprises:
    - providing a success response and a session cookie to the third party device.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving a SAML response from a partner federated STS (FSTS) device, wherein the SAML response includes a SAML assertion signed by a partner identity (ID) STS device and encrypted for the FSTS device;
      
      decrypting the SAML assertion with the private key associated with the video service provider system;
      
      validating the SAML assertion based on a third party public key associated with the third party STS;
      
      retrieving a party account number associated with the third party account;
      
      creating the online video session; and
      
      associating the online video session to the party account number.
  - 5. The computer-implemented method of claim 4, further comprising:
    - receiving a link account request from the third party device, wherein the link account request includes a SAML token signed by the third party STS device and encrypted for the video service provider system;
      
      decrypting the SAML assertion with the private key associated with the video service provider system;
      
      validating the SAML assertion based on a third party public key associated with the third party STS;
      
      retrieving a third party user ID and a device type; and
      
      creating an entry in an account link table based on the third party user ID and the party account number.
  - 6. The computer-implemented method of claim 5, wherein creating an entry in an account link table further comprises:
    - identifying the third party user ID, the party account number, a device type, and a link time.
  - 7. The computer-implemented method of claim 1, wherein the SAML token is a SAML 2.0 token.
  - 8. The computer-implemented method of claim 1, further comprising;
    - authenticating the SAML token based on a web services (WS) trust protocol.
  - 9. The computer-implemented method of claim 1, further comprising:
    - encrypting the third party account user identifier, and a party account number based on a public key of the video service provider system.

10. A computer-implemented method comprising:
- sending, from a third party device, a simple object access protocol (SOAP) web services (WS) trust request including service provider login credentials associated with a service provider user account to a partner identity (ID) STS device, wherein the partner ID STS device is associated with a partner entity of a service provider entity that manages a video service provider system;
  
  receiving a SOAP response including an SAML assertion signed by the partner ID STS device and encrypted for a partner federated STS (FSTS) device after the partner ID STS device validates the service provider login credentials;
  
  sending a request for an online video session to the video service provider system; and
  
  receiving a success response and a session cookie.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-implemented method of claim 10, further comprising:
    - sending, from the third party device, a request for a security markup assertion language (SAML) token with the third party authorization token to a third party security token service (STS), wherein the third party device is associated with a third party user account and the third party STS provides authentication in association with a third party entity;
      
      receiving a response including the requested SAML token, wherein the third party STS provides the requested SAML token after validation of the third party authorization token and the requested SAML token is signed by the third party STS and encrypted for the video service provider system;
      
      sending a link account request including the requested SAML token to the video service provider system; and
      
      receiving a second success response and a session cookie.
  - 12. The computer-implemented method of claim 10, further comprising:
    - requesting an online video session with the requested SAML token as an input from the video service provider system; and
      
      receiving another success response and a session cookie if the video service provider system determines that the third party user account is associated with a currently linked service provider user account.
  - 13. The computer-implemented method of claim 12, further comprising:
    - receiving a denial message if the video service provider system determines that the third party user account is not associated with a currently linked service provider user account.

14. A video service provider device, comprising:
- a memory to store a plurality of instructions; and
  
  a processor configured to execute instructions in the memory to;
  
  receive a request for an online video session from a third party device, wherein the request for an online video session includes a security markup assertion language (SAML) assertion signed by a partner identity (ID) security token service (STS) device and encrypted for a partner federated STS (FSTS) device;
  
  send a simple object access protocol (SOAP) web services (WS) trust request including the SAML assertion signed by the partner ID STS device and encrypted for the partner FSTS device to the partner FSTS device;
  
  receive a SAML response from the partner FSTS device, wherein the SAML response includes the SAML assertion;
  
  decrypt the SAML assertion with a private key associated with the video service provider device;
  
  validate the SAML assertion based on a third party public key associated with a third party STS device;
  
  retrieve a party account number associated with a third party account;
  
  create the online video session;
  
  associate the online video session with the party account number; and
  
  send a success response with a session cookie to the third party device.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The video service provider device of claim 14, wherein the processor is further configured to:
    - receive a link account request including a SAML assertion signed by a third party STS device and encrypted for the video service provider device;
      
      decrypt the SAML assertion with a private key associated with the video service provider device;
      
      validate the SAML assertion based on a third party public key associated with the third party STS device;
      
      retrieve a third party user ID and a device type; and
      
      create an entry in an account link table based on the third party user ID and the party account number.
  - 16. The video service provider device of claim 15, wherein, when creating the entry in the account link table, the processor is further configured to:
    - identify the third party user ID, the party account number, a device type of the third party device, and a link time.
  - 17. The video service provider device of claim 15, wherein the processor is further configured to:
    - receive a request for an online video session with a SAML token as an input from the third party device, wherein the SAML token is encrypted for the video service provider device and signed by the third party STS device and the third party device is associated with a third party user account;
      
      decrypt a SAML assertion in the SAML token with a private key associated with the video service provider device;
      
      validate the SAML assertion based on a third party public key associated with the third party STS device;
      
      retrieve a third party account user identifier and a device type;
      
      identify a link time based on the third party account user identifier, wherein the link time is a time that the third party user account was linked with a service provider user account associated with the video service provider device;
      
      identify a password change time (PCT) stamp associated with the service provider user account; and
      
      provide the online video session to the third party device if the PCT stamp is not later than the link time.
  - 18. The video service provider device of claim 17, wherein the processor is further configured to:
    - provide notification that the third party user account is not linked with the service provider user account if the PCT stamp is later than the link time.

19. A system, comprising:
- a third party security token service (STS) device that provides security tokens associated with a third party entity; and
  
  a video service provider system that provides an online video service and is associated with a service provider entity; and
  
  wherein the third party STS device is configured to receive a simple object access protocol (SOAP) web services (WS) trust request for a security markup assertion language (SAML) token with a third party authorization token from a third party device, wherein the third party device is associated with a third party user account and a third party entity; and
  
  validate the authorization token and provide a SOAP response including a requested SAML token signed by the third party STS device and encrypted for the video service provider system; and
  
  wherein the video service provider system is configured to receive a request for an online video session from the third party device; and
  
  return a success response and a session cookie to the third party device if the video service provider system determines that the third party user account is associated with a currently linked service provider user account.
- View Dependent Claims (20)
- - 20. The system of claim 19, further comprising:
    - a partner identity (ID) STS device that provides security tokens associated with a partner entity of the service provider entity; and
      
      a partner federated STS (FSTS) device that manages a partner customer account associated with the video service provider system; and
      
      wherein the partner ID STS device is configured to receive another SOAP WS trust request including service provider login credentials associated with a identified service provider user account from the third party device;
      
      validate the service provider login credentials, andprovide a SOAP response including an SAML assertion signed by the partner ID STS device and encrypted for the partner FSTS device to the third party device; and
      
      wherein the video service provider system is further configured to receive a link account request including the requested SAML token from the third party device;
      
      send a further SOAP WS trust request to the partner FSTS device;
      
      receive a SAML response from the partner FSTS device; and
      
      send a second HTTP 200 response and a session cookie to the third party device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Yin, Fenglin, Hao, Jack Jianxiu

Granted Patent

US 9,003,189 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/335   for accessing specific reso...

H04L 2463/101   applying security measures ...

H04L 63/06   for supporting key manageme...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/146   Markers for unambiguous ide...

TRUSTED THIRD PARTY CLIENT AUTHENTICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

TRUSTED THIRD PARTY CLIENT AUTHENTICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links