IDENTITY ASSERTION FRAMEWORK

US 20150163251A1
Filed: 02/17/2015
Published: 06/11/2015
Est. Priority Date: 02/17/2011
Status: Active Grant

First Claim

Patent Images

1. (Canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service associated with a first security domain is configured to receive a request for a first token from a device and issue the first token based on a first issuing policy of the first security domain. A token authenticator associated with a second security domain is configured to determine that the first token is not issued in the second security domain. A hardware-processor-implemented second security token service is configured to receive the first token from the token authenticator, determine that the first token was issued by the first security token service, and validate the first token based on a local federation policy that defines a federation agreement between the first security domain and the second security domain.

32 Citations

View as Search Results

21 Claims

1. (Canceled)

2. A system comprising:
- a first security token service associated with a first security domain and configured to;
  
  receive a request for a first token from a device andissue the first token based on a first issuing policy of the first security domain;
  
  a token authenticator associated with a second security domain and configured to determine that the first token is not issued in the second security domain; and
  
  a hardware-processor-implemented second security token service configured to;
  
  receive the first token from the token authenticator,determine that the first token was issued by the first security token service, andvalidate the first token based on a local federation policy that defines a federation agreement between the first security domain and the second security domain.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The system of claim 2, wherein the first issuing policy provides instructions to issue tokens and defines data to be stored in the issued tokens.
  - 4. The system of claim 2, wherein the first token is valid for one or more service providers within the first security domain.
  - 5. The system of claim 2, wherein the hardware-processor-implemented second security token service is associated with the second security domain and is further configured to:
    - invoke an identity assertion framework instance associated with the second security domain to examine one or more issuing policies of the second security domain to determine that the second security domain has the federation agreement with the first security domain.
  - 6. The system of claim 2, wherein the validating the first token based on the local federation policy includes verifying that a key has been exchanged between the first security domain and the second security domain.
  - 7. The system of claim 2, further comprising an identity provider configured to perform an initial authentication of the consumer.
  - 8. The system of claim 2, further comprising a central authority configured to issue a federation token based on identifying a centralized federation policy of the central authority that defines a further federation agreement between the first security domain and the second security domain, the federation token being valid to a first service provider in the first security domain and to a second service provider in the second security domain, and being accepted by the first service provider in the first security domain and the second service provider in the second security domain in allowing the consumer to invoke consumer sessions.

9. A method comprising:
- receiving a request for a first token from a device;
  
  issuing the first token based on a first issuing policy of the first security domain;
  
  determining that the first token is not issued in the second security domain;
  
  receiving the first token from the token authenticator;
  
  determining that the first token was issued by the first security token service; and
  
  validating the first token based on a local federation policy that defines a federation agreement between the first security domain and the second security domain.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein the first issuing policy provides instructions to issue tokens and defines data to be stored in the issued tokens.
  - 11. The method of claim 9, wherein the first token is valid for one or more service providers within the first security domain.
  - 12. The method of claim 9, further comprising:
    - invoking an identity assertion framework instance associated with the second security domain to examine one or more issuing policies of the second security domain to determine that the second security domain has the federation agreement with the first security domain.
  - 13. The method of claim 9, wherein the validating the first token based on the local federation policy includes verifying that a key has been exchanged between the first security domain and the second security domain.
  - 14. The method of claim 9, further comprising:
    - performing an initial authentication of the consumer.
  - 15. The method of claim 9, further comprising:
    - issuing a federation token based on identifying a centralized federation policy of the central authority that defines a further federation agreement between the first security domain and the second security domain, the federation token being valid to a first service provider in the first security domain and to a second service provider in the second security domain, and being accepted by the first service provider in the first security domain and the second service provider in the second security domain in allowing the consumer to invoke consumer sessions.

16. A non-transitory machine-readable medium comprising instructions that when executed by one or more hardware processors of a machine, cause the machine to perform operations comprising:
- receiving a request for a first token from a device;
  
  issuing the first token based on a first issuing policy of the first security domain;
  
  determining that the first token is not issued in the second security domain;
  
  receiving the first token from the token authenticator;
  
  determining that the first token was issued by the first security token service; and
  
  validating the first token based on a local federation policy that defines a federation agreement between the first security domain and the second security domain.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The non-transitory machine-readable medium of claim 16, wherein the first issuing policy provides instructions to issue tokens and defines data to be stored in the issued tokens.
  - 18. The non-transitory machine-readable medium of claim 16, wherein the first token is valid for one or more service providers within the first security domain.
  - 19. The non-transitory machine-readable medium of claim 16, the operations further comprising:
    - invoking an identity assertion framework instance associated with the second security domain to examine one or more issuing policies of the second security domain to determine that the second security domain has the federation agreement with the first security domain.
  - 20. The non-transitory machine-readable medium of claim 16, wherein the validating the first token based on the local federation policy includes verifying that a key has been exchanged between the first security domain and the second security domain.
  - 21. The non-transitory machine-readable medium of claim 16, the operations further comprising:
    - performing an initial authentication of the consumer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eBay Inc.
Original Assignee
eBay Inc.
Inventors
Kassaei, Farhang, Deshmukh, Neeti, Johnson, Peter, Travostino, Franco, Khanna, Sachin, Bahety, Anand, Antony, Benoy

Granted Patent

US 9,571,285 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/20   for managing network securi...

H04L 9/3234   involving additional secure...

IDENTITY ASSERTION FRAMEWORK

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

32 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTITY ASSERTION FRAMEWORK

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links