Method and apparatus for handling user identities under single sign-on services

US 7,296,290 B2
Filed: 02/28/2003
Issued: 11/13/2007
Est. Priority Date: 02/28/2002
Status: Active Grant

First Claim

Patent Images

1. A method of handling and correlating a plurality of user-identities for a user having a plurality of local user-identities utilized to access a plurality of Service Providers, said method providing Single Sign-On services to the user when accessing a selected Service Provider from the plurality of Service Providers, the method comprising the steps of:

authenticating the user at an Authentication Provider with a user-identity used for authentication purposes;

providing the user with a token as proof that the user has already been authenticated by the Authentication Provider;

attempting a first access by the user at the selected Service Provider, said attempting step including presenting the token to the selected Service Provider along with a local user-identity valid for the selected Service Provider;

assigning at the Authentication Provider, a temporary alias-identity to the user to be utilized for a subsequent access of the user at the selected Service Provider identified by a given Service Provider identifier;

respectively linking the user-identity used for authentication purposes and the assigned alias-identity at the Authentication Provider and the local user-identity and the assigned alias-identity at the selected Service Provider, both Providers sharing and uniquely exchanging the alias-identity to identify the user at respective sites, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user;

providing the user with access by the selected Service Provider based on the shared alias-identity;

determining at a later time, that the user is attempting a subsequent access at the selected Service Provider; and

identifying the user by the shared alias-identity and providing access, if permanent linking was allowed by the user;

orrepeating the steps of assigning a temporary alias-identity, linking on a temporary basis, and providing access, if permanent linking was not allowed by the user.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for providing Single Sign-On services to a user when accessing a selected Service Provider from a plurality of Service Providers. An Authentication Provider authenticates the user at with a user-identity, provides the user with a token as proof of the authentication, and assigns a temporary alias-identity to the user for use when the user accesses the selected Service Provider. The Authentication Provider and the selected Service Provider link the assigned alias-identity and the user-identity to identify the user at respective sites. The user accesses the selected Service Provider by presenting the token along with a local user-identity valid for the selected Service Provider. When the user attempts a subsequent access at the selected Service Provider, the user is identified by the shared alias-identity, if the user allowed permanent linking. If the user did not allow permanent linking, the process is repeated for each subsequent access.

Citations

15 Claims

1. A method of handling and correlating a plurality of user-identities for a user having a plurality of local user-identities utilized to access a plurality of Service Providers, said method providing Single Sign-On services to the user when accessing a selected Service Provider from the plurality of Service Providers, the method comprising the steps of:
- authenticating the user at an Authentication Provider with a user-identity used for authentication purposes;
  
  providing the user with a token as proof that the user has already been authenticated by the Authentication Provider;
  
  attempting a first access by the user at the selected Service Provider, said attempting step including presenting the token to the selected Service Provider along with a local user-identity valid for the selected Service Provider;
  
  assigning at the Authentication Provider, a temporary alias-identity to the user to be utilized for a subsequent access of the user at the selected Service Provider identified by a given Service Provider identifier;
  
  respectively linking the user-identity used for authentication purposes and the assigned alias-identity at the Authentication Provider and the local user-identity and the assigned alias-identity at the selected Service Provider, both Providers sharing and uniquely exchanging the alias-identity to identify the user at respective sites, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user;
  
  providing the user with access by the selected Service Provider based on the shared alias-identity;
  
  determining at a later time, that the user is attempting a subsequent access at the selected Service Provider; and
  
  identifying the user by the shared alias-identity and providing access, if permanent linking was allowed by the user;
  
  orrepeating the steps of assigning a temporary alias-identity, linking on a temporary basis, and providing access, if permanent linking was not allowed by the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 wherein the linking step includes checking corresponding preferences of the user at an Authentication Provider user'"'"'s profile.
  - 3. The method of claim 1 wherein the step of attempting a first access by the user includes providing a password to identify the user locally at the Service Provider.
  - 4. The method of claim 1 wherein a second user not having yet an account with the Service Provider can provide a selected local identity and password to register an account with said Service Provider.
  - 5. The method of claim 1 wherein the step e) of linking respective user identities on a permanent basis includes the linking at the Authentication Provider the user-identity used for authentication purposes with the assigned alias-identity and with the selected Service Provider'"'"'s given identifier.
  - 6. The method of claim 5 wherein the step of linking the local user-identity and the assigned alias-identity at the selected Service Provider also includes linking an identifier of the Authentication Provider.

7. An Authentication Provider for carrying out a Single Sign-On authentication of a user accessing a selected Service Provider from a plurality of Service Providers utilized by the user, the user having a user-identity used for authentication purposes, the Authentication Provider comprising:
- means for authenticating the user with a user-identity used for authentication purposes;
  
  means for providing the user with a token as proof that the user has already been authenticated;
  
  means for assigning a temporary alias-identity to the user to be utilized for a subsequent access of the user at the selected Service Provider identified by a given Service Provider identifier;
  
  means for assigning a temporary alias-identity to the user to be utilized the selected Service Provider identified by a given Service Provider identifier;
  
  means for linking the assigned alias-identity with the user-identity used for authentication purposes and with the Service Provider identifier of the selected Service Provider, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user; and
  
  means for authenticating the user'"'"'s linked alias-identity towards the selected Service Provider whenever the user attempts a subsequent access at the selected Service Provider, if permanent linking was allowed.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The Authentication Provider of claim 7, further comprising a Session Manager that includes:
    - means for determining whether a user identified by an authentication user-identity has an active session;
      
      means for determining whether there is a linked alias-identity for the user with a session in a Service Provider; and
      
      means for ordering the generation of an authentication assertion with the linked alias-identity for the user.
  - 9. The Authentication Provider of claim 8, further comprising a Security Assertion Mark-up Language engine for generating an authentication assertion with a linked alias-identity for a user.
  - 10. The Authentication Provider of claim 7, further comprising an Identity Manager that includes:
    - means for determining whether a linked alias-identity exists for a user in a Service Provider;
      
      means for assigning a new alias-identity to the user; and
      
      means for linking the new alias-identity for the user in a Service Provider with an identifier of said Service Provider and with the user'"'"'s authentication user-identity.
  - 11. The Authentication Provider of claim 10, further comprising an Identity Manager for determining the user'"'"'s preferences regarding linking of the user'"'"'s identities.
  - 12. The Authentication Provider of claim 7, further comprising a user'"'"'s profile directory that stores the links of the user'"'"'s identities with the identifiers of Service Providers.

13. A Service Provider comprising:
- means for receiving a first service request from an accessing user. the first service request including an authentication token for the user that indicates that the user has already been authenticated;
  
  means for verifying the authentication token with an Authentication Provider that generated the token, andmeans for obtaining from the user, a local user-identity to identify a users account with the Service Providermeans for obtaining from the Authentication Provider a shared alias-identity for the user;
  
  means for linking the local user-identity with the received shared alias-identity, on a permanent basis if allowed by the user, or on a temporary basis if not allowed by the user;
  
  means for receiving a subsequent service request from the accessing user identifying the user'"'"'s shared alias-identity; and
  
  means for requesting the Authentication Provider to authenticate the user'"'"'s shared alias-identity whenever the user subsequently requests access, if permanent linking was allowed.
- View Dependent Claims (14, 15)
- - 14. The Service Provider of claim 13 further comprising means for registering a new user'"'"'s account with the Service Provider for a user not having a local user-identity assigned to any account with the Service Provider.
  - 15. The Service Provider of claim 13 further comprising means for linking an identifier of the Authentication Provider with the local user-identity and with the received shared alias-identity.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Barriga, Luis, Walker, John Michael, Pardo-Blazquez, Avelina, de Gregorio, Jesus-Angel
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Nalven; Andrew L

Application Number

US10/504,954
Publication Number

US 20050154913A1
Time in Patent Office

1,719 Days
Field of Search

726/8
US Class Current

726/8
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

G06F 2221/2115   Third party

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 67/04   specially adapted for termi...

H04L 67/1001   for accessing one among a p...

H04L 67/51   Discovery or management the...

H04W 12/068   using credential vaults, e....

Method and apparatus for handling user identities under single sign-on services

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for handling user identities under single sign-on services

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links