Identity based service system
First Claim
Patent Images
1. A system, comprising:
- a device;
at least one first entity associated with the device, the first entity comprising any of a user, a user agent and a principal;
a first user identifier in a first namespace associated with the first entity, the first user identifier comprising any of a name identifier and an identity assertion;
a second user identifier in a second namespace associated with the first entity, the second user identifier known to a service provider, the second namespace disparate from the first namespace, wherein the first user identifier and the second user identifier are pseudonymous to each other;
an authentication agency;
means for sending a login request from the first entity to the authentication agency;
means for receiving an assertion at the first entity from the authentication agency in response to the log in request;
means for sending the received assertion and the first user identifier in the first namespace to a participant;
means for authenticating the first entity at the participant with the received assertion;
means for sending the first user identifier in the first namespace and a request for service on behalf of the first entity from a second entity comprising any of the participant and a service consumer associated with the participant to any of the authentication agency and a discovery service associated with the authentication agency, using the received assertion, the request for service comprising a request for a service descriptor for locating the service provider, and a request for a service assertion for accessing the service provider;
means for translating the first user identifier in the first namespace to the second user identifier in the second namespace at the authentication agency;
means for an sending the service descriptor, the service assertion, and the second user identifier from the authentication agency to the second entity in response to the sent request for service if the first entity is enabled for the requested service, wherein the sent second user identifier is sent in a format that the second entity is blinded to the second user identifier;
means for sending the service assertion to the service provider; and
means for providing the requested service for the second entity at the service provider in response to the received service assertion if the second entity is authorized for the requested service by the user.
10 Assignments
0 Petitions
Accused Products
Abstract
An identity based service system is provided, in which an identity is created and managed for a user or principal, such that at least a portion of the identity is available to use between one or more system entities. A discovery service enables a system entity to discover a service descriptor, given a service name and a name identifier of the user, whereby system entities can find and invoke the user'"'"'s other personal web services. The discovery service preferably provides a translation between a plurality of namespaces, to prevent linkable identity information over time between system entities.
476 Citations
46 Claims
-
1. A system, comprising:
-
a device; at least one first entity associated with the device, the first entity comprising any of a user, a user agent and a principal; a first user identifier in a first namespace associated with the first entity, the first user identifier comprising any of a name identifier and an identity assertion; a second user identifier in a second namespace associated with the first entity, the second user identifier known to a service provider, the second namespace disparate from the first namespace, wherein the first user identifier and the second user identifier are pseudonymous to each other; an authentication agency; means for sending a login request from the first entity to the authentication agency; means for receiving an assertion at the first entity from the authentication agency in response to the log in request; means for sending the received assertion and the first user identifier in the first namespace to a participant; means for authenticating the first entity at the participant with the received assertion; means for sending the first user identifier in the first namespace and a request for service on behalf of the first entity from a second entity comprising any of the participant and a service consumer associated with the participant to any of the authentication agency and a discovery service associated with the authentication agency, using the received assertion, the request for service comprising a request for a service descriptor for locating the service provider, and a request for a service assertion for accessing the service provider; means for translating the first user identifier in the first namespace to the second user identifier in the second namespace at the authentication agency; means for an sending the service descriptor, the service assertion, and the second user identifier from the authentication agency to the second entity in response to the sent request for service if the first entity is enabled for the requested service, wherein the sent second user identifier is sent in a format that the second entity is blinded to the second user identifier; means for sending the service assertion to the service provider; and means for providing the requested service for the second entity at the service provider in response to the received service assertion if the second entity is authorized for the requested service by the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
an authentication agency for authenticating a first entity comprising any of a user, a user agent and a principal, the first entity having a first user identifier in a first namespace and a second user identifier in a second namespace, the second user identifier known to a service provider, the first user identifier comprising any of a name identifier and an identity assertion, the second namespace disparate from the first namespace, wherein the first user identifier and the second user identifier are pseudonymous to each other, for sending an assertion to a device corresponding to the first entity, and for translating the first user identifier in the first namespace to the second user identifier in the second namespace; and at least one second entity comprising means for receiving the assertion and the first user identifier from the first entity, means for authenticating the first entity at the second entity with the received assertion, means for sending a request for service and the first user identifier on behalf of the first entity to any of the authentication agency and a discovery service associated with the authentication agency, means for receiving authorizations an authorization sent from the authentication agency in response to the sent request if the first entity is enabled for the requested service; means for receiving the second user identifier sent from the authenticating agency in a format that the second entity is blinded to the second user identifier; means for invoking the requested authorized service at the service provider with the received authorization and the received second user identifier, and means for receiving the invoked requested service from the service provider at the second entity if the second entity is authorized for the invoked requested service by the user. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
-
-
30. A process, comprising the steps of:
-
sending a login request from a first entity associated with a device to an authentication agency, the first entity comprising any of a user, a user agent and a principal, the first entity having a first user identifier in a first namespace and a second user identifier in a second namespace, the second user identifier known to a service provider, the first user identifier comprising any of a name identifier and an identity assertion, the second namespace disparate from the first namespace, wherein the first user identifier and the second user identifier are pseudonymous to each other; receiving an assertion at the first entity from the authentication agency in response to the log in request; sending the received assertion and the first user identifier to a participant; authenticating the first entity at the participant with the received assertion; sending the first user identifier in the first namespace and a request for a service on behalf of the first entity from a second entity comprising any of the participant and a service consumer associated with the participant to any of the authentication agency and a discovery service associated with the authentication agency, using the assertion; translating the first user identifier in the first namespace to the second user identifier in the second namespace at the authentication agency; sending an authorization and the translated second user identifier from the authentication agency to the second entity for the requested service in response to the sent request if the first entity is enabled for the requested service, wherein the translated second user identifier is sent in a format that the second entity is blinded to the second user identifier; sending the authorization from the second entity and to the service provider; and providing the requested service for the second entity at the service provider in response to the sent authorization if the second entity is authorized for the requested service by the user. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. A process, comprising the steps of:
-
providing an authentication agency networked to a service; establishing an identity at the authentication agency for a first entity associated with a device, the first entity comprising any of a user, a user agent and a principal, the first entity having a first user identifier in a first namespace and a second user identifier in a second namespace, the second user identifier known to a service provider, the first user identifier comprising any of a name identifier and an identity assertion, the second namespace disparate from the first namespace, wherein the first user identifier and the second user identifier are pseudonymous to each other; sending authentication information from the authentication agency to the device; sending the authentication information and the first user identifier from the device to a participant; authenticating the first entity at the participant with the authentication information; sending the first user identifier in the first namespace and a request for a service on behalf of the first entity from a second entity comprising any of the participant and a service consumer associated with the participant to any of the authentication agency and a discovery service associated with the authentication agency; translating the received first user identifier in the first namespace to the second user identifier in the second namespace at the authentication agency; sending an authorization and the translated second user identifier from the authentication agency to the second entity to access the service on behalf of the first entity if the first entity is enabled for the service by the authentication agency; establishing a link between the second entity and the service provider, based upon the authorization and the translated second user identifier; and providing the requested service for the second entity at the service provider in response to the sent authorization and the translated second user identifier, if the second entity is authorized for the requested service by the user. - View Dependent Claims (45, 46)
-
Specification