Method and apparatus for handling user identities under single sign-on services
First Claim
1. A method of handling and correlating a plurality of user-identities for a user having a plurality of local user-identities utilized to access a plurality of Service Providers, said method providing Single Sign-On services to the user when accessing a selected Service Provider from the plurality of Service Providers, the method comprising the steps of:
- authenticating the user at an Authentication Provider with a user-identity used for authentication purposes;
providing the user with a token as proof that the user has already been authenticated by the Authentication Provider;
attempting a first access by the user at the selected Service Provider, said attempting step including presenting the token to the selected Service Provider along with a local user-identity valid for the selected Service Provider;
assigning at the Authentication Provider, a temporary alias-identity to the user to be utilized for a subsequent access of the user at the selected Service Provider identified by a given Service Provider identifier;
respectively linking the user-identity used for authentication purposes and the assigned alias-identity at the Authentication Provider and the local user-identity and the assigned alias-identity at the selected Service Provider, both Providers sharing and uniquely exchanging the alias-identity to identify the user at respective sites, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user;
providing the user with access by the selected Service Provider based on the shared alias-identity;
determining at a later time, that the user is attempting a subsequent access at the selected Service Provider; and
identifying the user by the shared alias-identity and providing access, if permanent linking was allowed by the user;
orrepeating the steps of assigning a temporary alias-identity, linking on a temporary basis, and providing access, if permanent linking was not allowed by the user.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus and method for providing Single Sign-On services to a user when accessing a selected Service Provider from a plurality of Service Providers. An Authentication Provider authenticates the user at with a user-identity, provides the user with a token as proof of the authentication, and assigns a temporary alias-identity to the user for use when the user accesses the selected Service Provider. The Authentication Provider and the selected Service Provider link the assigned alias-identity and the user-identity to identify the user at respective sites. The user accesses the selected Service Provider by presenting the token along with a local user-identity valid for the selected Service Provider. When the user attempts a subsequent access at the selected Service Provider, the user is identified by the shared alias-identity, if the user allowed permanent linking. If the user did not allow permanent linking, the process is repeated for each subsequent access.
-
Citations
15 Claims
-
1. A method of handling and correlating a plurality of user-identities for a user having a plurality of local user-identities utilized to access a plurality of Service Providers, said method providing Single Sign-On services to the user when accessing a selected Service Provider from the plurality of Service Providers, the method comprising the steps of:
-
authenticating the user at an Authentication Provider with a user-identity used for authentication purposes; providing the user with a token as proof that the user has already been authenticated by the Authentication Provider; attempting a first access by the user at the selected Service Provider, said attempting step including presenting the token to the selected Service Provider along with a local user-identity valid for the selected Service Provider; assigning at the Authentication Provider, a temporary alias-identity to the user to be utilized for a subsequent access of the user at the selected Service Provider identified by a given Service Provider identifier; respectively linking the user-identity used for authentication purposes and the assigned alias-identity at the Authentication Provider and the local user-identity and the assigned alias-identity at the selected Service Provider, both Providers sharing and uniquely exchanging the alias-identity to identify the user at respective sites, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user; providing the user with access by the selected Service Provider based on the shared alias-identity; determining at a later time, that the user is attempting a subsequent access at the selected Service Provider; and identifying the user by the shared alias-identity and providing access, if permanent linking was allowed by the user;
orrepeating the steps of assigning a temporary alias-identity, linking on a temporary basis, and providing access, if permanent linking was not allowed by the user. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An Authentication Provider for carrying out a Single Sign-On authentication of a user accessing a selected Service Provider from a plurality of Service Providers utilized by the user, the user having a user-identity used for authentication purposes, the Authentication Provider comprising:
-
means for authenticating the user with a user-identity used for authentication purposes; means for providing the user with a token as proof that the user has already been authenticated; means for assigning a temporary alias-identity to the user to be utilized for a subsequent access of the user at the selected Service Provider identified by a given Service Provider identifier; means for assigning a temporary alias-identity to the user to be utilized the selected Service Provider identified by a given Service Provider identifier; means for linking the assigned alias-identity with the user-identity used for authentication purposes and with the Service Provider identifier of the selected Service Provider, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user; and means for authenticating the user'"'"'s linked alias-identity towards the selected Service Provider whenever the user attempts a subsequent access at the selected Service Provider, if permanent linking was allowed. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A Service Provider comprising:
-
means for receiving a first service request from an accessing user. the first service request including an authentication token for the user that indicates that the user has already been authenticated; means for verifying the authentication token with an Authentication Provider that generated the token, and means for obtaining from the user, a local user-identity to identify a users account with the Service Provider means for obtaining from the Authentication Provider a shared alias-identity for the user; means for linking the local user-identity with the received shared alias-identity, on a permanent basis if allowed by the user, or on a temporary basis if not allowed by the user; means for receiving a subsequent service request from the accessing user identifying the user'"'"'s shared alias-identity; and means for requesting the Authentication Provider to authenticate the user'"'"'s shared alias-identity whenever the user subsequently requests access, if permanent linking was allowed. - View Dependent Claims (14, 15)
-
Specification