Managing multiple user identities in authentication environments

US 7,428,750 B1
Filed: 03/24/2003
Issued: 09/23/2008
Est. Priority Date: 03/24/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method of managing a plurality of identities associated with a single user comprising:

assigning an identity broker at a server and at a client to act on behalf of the single user;

receiving, at the server, user identity information from the single user from the client, the user identity information representing a plurality of user identities for authenticating the single user with one or more target services, said user identity information being different from the plurality of user identities, each of the user identities being different and being associated with the one or more target services;

sending, from the server, one or more requests to the target services to obtain additional user identity information, the additional user identity information comprising credential information for each of the user identities, each of the requests comprising a portion of the received user identity information;

receiving the additional user identity information from the target services in response to authentication of the single user by the target services via the sent requests;

synchronizing the received identity information and the received additional user identity information between the server and the client;

registering the received user identity information and the received additional user identity information for management of the plurality of user identities such that the single user is authenticated with the one or more target services based on the user identity information;

providing a linking relationship among the user identity information and the additional user identity information of the plurality of user identities at the server such that each user identity information of the single user corresponds to the additional user identity information of the single user, wherein the linking relationship enables the server to manage the plurality of user identities in groups; and

wherein the assigned identity brokers on the server and the client manage the identity of the single user as a function of the received identity information and the received additional user identity information without a party other than the single user to know about the received additional user identity information.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Managing a plurality of identities associated with a user. The invention includes a system for managing multiple credentials within the same authentication system and across federated authentication systems in such a manner that signing in with one credential allows access to content, information or services that may be associated with another credential.

301 Citations

42 Claims

1. A method of managing a plurality of identities associated with a single user comprising:
- assigning an identity broker at a server and at a client to act on behalf of the single user;
  
  receiving, at the server, user identity information from the single user from the client, the user identity information representing a plurality of user identities for authenticating the single user with one or more target services, said user identity information being different from the plurality of user identities, each of the user identities being different and being associated with the one or more target services;
  
  sending, from the server, one or more requests to the target services to obtain additional user identity information, the additional user identity information comprising credential information for each of the user identities, each of the requests comprising a portion of the received user identity information;
  
  receiving the additional user identity information from the target services in response to authentication of the single user by the target services via the sent requests;
  
  synchronizing the received identity information and the received additional user identity information between the server and the client;
  
  registering the received user identity information and the received additional user identity information for management of the plurality of user identities such that the single user is authenticated with the one or more target services based on the user identity information;
  
  providing a linking relationship among the user identity information and the additional user identity information of the plurality of user identities at the server such that each user identity information of the single user corresponds to the additional user identity information of the single user, wherein the linking relationship enables the server to manage the plurality of user identities in groups; and
  
  wherein the assigned identity brokers on the server and the client manage the identity of the single user as a function of the received identity information and the received additional user identity information without a party other than the single user to know about the received additional user identity information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein sending one or more requests to the target services comprises sending one or more requests to the target services to authenticate the received user identity information.
  - 3. The method of claim 1, wherein registering comprises storing the user identity information in a database for management of the user identities when the user subsequently seeks access to one or more of the target services.
  - 4. The method of claim 1, wherein the user identity information comprises one or more of the following:
    - credential information, a login identifier and a password.
  - 5. The method of claim 4, wherein the credential information comprises one or more of the following:
    - a certificate, an authentication token, and an authentication ticket.
  - 6. The method of claim 1, wherein the target services comprise one or more of the following:
    - a server, a web site, and an application program.
  - 7. The method of claim 1, wherein sending one or more requests to the target services comprises sending the user identity information associated therewith to the target services for authentication, wherein the target services interact with an authentication system to authenticate the user via the user identity information.
  - 8. The method of claim 1, further comprising interacting with one of the target services to provide registered user identity information to said one of the target services in response to a request from said one of the target services for one or more of the user identities associated therewith.
  - 9. The method of claim 8, wherein the registered user identity information are stored in a database, and wherein interacting comprises:
    - receiving, from said one of the target services, a request for one or more of the user identities associated therewith, the request comprising a list of requested identity types;
      
      retrieving the registered user identity information from the database corresponding to the list of requested identity types; and
      
      providing the retrieved user identity information to said one of the target services in response to the received request.
  - 10. The method of claim 9, further comprising validating the retrieved user identity information prior to providing the retrieved user identity information to said one of the target services.
  - 11. The method of claim 10, wherein validating comprises sending the retrieved user identity information to an authentication system to authenticate the user.
  - 12. The method of claim 9, further comprising:
    - requesting, from said one of the target services, new user identity information associated with the user if no user identity information in the database corresponds to the list of requested identity types;
      
      receiving the requested, new user identity information from said one of the target services; and
      
      registering the received, requested, new user identity information.
  - 13. The method of claim 12, wherein the new user identity information comprises credential information.
  - 14. The method of claim 1, further comprising:
    - receiving, from the user, a request with instructions to modify the registered user identity information; and
      
      modifying the registered user identity information in accordance with the received instructions.
  - 15. The method of claim 14, wherein modifying the registered user identity information comprises unlinking one of the user identities from the other user identities.
  - 16. The method of claim 1, wherein the credential information corresponds to one of a plurality of federated authentication systems.
  - 17. The method of claim 1, wherein one or more computer storage media have computer-executable instructions for performing the method recited in claim 1.

18. A method of managing user identity information corresponding to a plurality of identities associated with a user at a client, each of the user identities being associated with one or more target services, the identities being stored in a database, the method comprising:
- interacting between an identity broker at a server and an identity broker at the client on behalf of the user in response to a request from the user;
  
  interacting between the server and one of the target services to provide the user identity information to said one of the target services in response to a request from said one of the target services for one or more of the identities associated therewith, said user identity information representing a plurality of user identities for authenticating the user with the one or more target services, said user identity information being different from the plurality of user identities, wherein the identity information is synchronized between the client and the server;
  
  wherein interacting comprises;
  
  receiving, from said one of the target services, a request for one or more of the user identities associated therewith, the request comprising a list of requested identity types;
  
  retrieving the user identity information from the database accessible by the server corresponding to the list of requested identity types;
  
  providing the retrieved user identity information to said one of the target services in response to the received request, wherein the retrieved user identity information authenticates the user with the one or more target services,wherein the database provides a linking relationship among the user identity information of the one or more of the identities of the user, wherein the linking relationship enables the server to manage the plurality of user identities in groups; and
  
  wherein the identity brokers on the server and the client manage the user identity information as a function of the user identity information and the user identities without a party other than the user to know about the user identities.
- View Dependent Claims (19, 20, 21, 22, 23, 24)
- - 19. The method of claim 18, further comprising validating the retrieved user identity information prior to providing the retrieved user identity information to said one of the target services.
  - 20. The method of claim 19, wherein validating comprises:
    - sending the retrieved user identity information to an authentication system for authentication; and
      
      receiving, from the authentication system, authenticated user identity information.
  - 21. The method of claim 19, wherein providing the retrieved user identity information to said one of the target services comprises providing the validated user identity information to said one of the target services.
  - 22. The method of claim 18, further comprising:
    - requesting, from said one of the target services, new user identity information associated with the user if no user identity information in the database corresponds to the list of requested identity types;
      
      receiving the requested, new user identity information from said one of the target services; and
      
      storing the received, requested, new user identity information in the database.
  - 23. The method of claim 22, wherein the new user identity information comprises credential information.
  - 24. The method of claim 18, wherein the user identity information comprises credential information.

25. In a computer system having a graphical user interface including a display and a user interface selection device, a method of managing a plurality of identities associated with a user comprising:
- assigning an identity broker at a server and at a client to act on behalf of the single user;
  
  displaying a registration user interface from the server to the user on the display, the registration user interface defining a user identity information field;
  
  receiving from the user at the client via the user interface selection device user identity information associated with the user identity information field, the user identity information representing a plurality of user identities for authenticating the user with one or more target services, said user identity information being different from the plurality of user identities, each of the user identities being different and being associated with the one or more target services;
  
  receiving an execution signal from the user via the user interface selection device;
  
  synchronizing the received user identity information between the server and the client;
  
  registering, in response to the received execution signal, the received user identity information for management of the user identities such that the user is authenticated with the one or more target services based on the user identity information; and
  
  providing a linking relationship among the user identity information of the plurality of user identities at the server such that each user identity information of the user corresponds to the additional user identity information of the single user, wherein the linking relationship enables the identity broker at the server and the identity broker at the client to manage the plurality of user identities in groups without a party other than the user to know about the additional user identity information.
- View Dependent Claims (26, 27, 28, 29, 30)
- - 26. The method of claim 25, wherein registering the received user identity information comprises storing the received user identity information in a database for management of the user identities when the user subsequently seeks access to one or more of the target services.
  - 27. The method of claim 25, wherein registering the user identity information comprises linking the user identities or unlinking the user identities or both.
  - 28. The method of claim 25, further comprising:
    - receiving, from the user via the user interface selection device, a request with instructions to modify the registered user identity information; and
      
      modifying the registered user identity information in accordance with the received instructions.
  - 29. The method of claim 25, wherein the user identity information comprises one or more of the following:
    - credential information, a user identifier, and a password.
  - 30. The method of claim 29, wherein the credential information comprises one or more of the following:
    - an authentication ticket, a password, an authentication certificate, and a token.

31. A computer storage medium having stored thereon a data structure representing a plurality of identities associated with a user associated with a client, each of the user identities being associated with one or more target services, the data structure comprising:
- a first field representing user identity information corresponding to the user identities, said user identity information representing a plurality of user identities for authenticating the single user with one or more target services, said user identity information being different from the plurality of user identities;
  
  a second field representing additional user identity information to provide authentication for each of the user identities stored in the first field, wherein the first field and the second field enable authentication of the user based on the user identity information and the additional user identity information for authenticating with the one or more target services;
  
  wherein the first field and the second field are executed on a client a server and the one or more target services said the first field and the second field are synchronized; and
  
  a table, maintained by an identity broker at the server or at the client, providing a linking relationship among the user identity information and the additional user identity information of the plurality of user identities at the server such that each user identity information of the single user corresponds to the additional user identity information of the single user, wherein the linking relationship enables the identity broker at the server and the identity broker at the client to manage the plurality of user identities in groups without a party other than the user to know about the additional user identity information and wherein the table stores an additional flag to indicate whether or not one of the plurality of user identities is linked to some other identity.
- View Dependent Claims (32, 33)
- - 32. The computer storage medium of claim 31, wherein the user identity information comprises a user identifier or a password or both.
  - 33. The computer storage medium of claim 31, wherein the additional user identity information comprises one or more of the following:
    - a certificate, an authentication token, and an authentication ticket.

34. One or more computer storage media having computer-executable components executable at a server for managing a plurality of identities associated with a user, the components comprising:
- an interface module for receiving user identity information from the user from a client, the user identity information representing a plurality of user identities for authenticating the single user with one or more target services, said user identity information being different from the plurality of user identities, each of the user identities being different and being associated with the one or more target services;
  
  a synchronization component for synchronizing the identity information between the client and the server;
  
  a validation module for sending one or more requests to the target services to obtain additional user identity information, the additional user identity information comprising credential information for each of the user identities, each of the requests comprising a portion of the received user identity information, the validation module receiving the additional user identity information from the target services in response to authentication of the user by the target services via the sent requests;
  
  a database module for registering the received user identity information and received additional user identity information for management of the user identities, said database module providing a linking relationship among the user identity information and the additional user identity information of the plurality of user identities at the server such that each user identity information of the single user corresponds to the additional user identity information of the single user, wherein the linking relationship enables the server to manage the plurality of user identities in groups; and
  
  a broker module for interacting with one of the target services to provide registered user identity information to said one of the target services in response to a request from said one of the target services for one or more of the user identities associated therewith, wherein the broker module enable authentication of the user with the one or more target services based on the user identity information without a party other than the single user to know about the received additional user identity information.
- View Dependent Claims (35, 36, 37, 38, 39, 40)
- - 35. The computer storage media of claim 34, wherein the interface module comprises a graphical user interface or a textual user interface or both.
  - 36. The computer storage media of claim 34, wherein the registered user identity information is stored in a database, and wherein said interacting performed by the broker module comprises:
    - receiving, from said one of the target services, a request for one or more of the user identities associated therewith, the request comprising a list of requested identity types;
      
      retrieving the registered user identity information from the database corresponding to the list of requested identity types; and
      
      providing the retrieved user identity information to said one of the target services in response to the received request.
  - 37. The computer storage media of claim 36, wherein the broker module validates the retrieved user identity information prior to providing the retrieved user identity information to said one of the target services.
  - 38. The computer storage media of claim 34, wherein the interface module receives, from the user, a request with instructions to modify the registered user identity information, the interface module modifying the registered user identity information in accordance with the received instructions.
  - 39. The computer storage media of claim 34, wherein the database module performs:
    - requesting, from said one of the target services, new user identity information associated with the user if no user identity information in the database corresponds to the list of requested identity types;
      
      receiving the requested, new user identity information from said one of the target services; and
      
      registering the received, requested, new user identity information.
  - 40. The computer storage media of claim 34, wherein the interface module, the validation module, and the database module operate in a client computer or a server computer or both.

41. An account management system at a server for managing a plurality of identities associated with a user, the account management system comprising:
- an identity broker at the server to act on behalf of the user;
  
  an identity broker at a client to act on behalf of the user;
  
  a user interface for receiving user identity information from the user from the client, the user identity information representing a plurality of user identities for authenticating the single user with one or more target services, said user identity information being different from the plurality of user identities, each of the user identities being associated with one or more target services;
  
  a validation component for sending one or more requests to the target services to obtain additional user identity information, the additional user identity information comprising credential information for each of the user identities, each of the requests comprising a portion of the received user identity information, the validation component receiving the additional user identity information from the target services in response to authentication of the user by the target services;
  
  a synchronization component for synchronizing the received identity information and the received additional user identity information between the server and the client;
  
  a database storing the user identity information received by the user interface and the additional user identity information received by the validation component, said data base providing a linking relationship among the user identity information and the additional user identity information of the plurality of user identities at the server such that each user identity information of the single user corresponds to the additional user identity information of the single user, wherein the linking relationship enables the identity broker at the server and the identity broker at the client to manage the plurality of user identities in groups without a party other than the user to know about the additional user identity information; and
  
  computer-executable instructions which, when executed on a data processing system having a processor and access to the database, manage the user identities by performing;
  
  receiving, from said one of the target services, a request for one or more of the user identities associated therewith, the request comprising a list of requested identity types;
  
  retrieving the registered user identity information from the database corresponding to the list of requested identity types; and
  
  providing the retrieved user identity information to said one of the target services in response to the received request, wherein that the retrieved user identity information authenticates the user with the one or more target services.
- View Dependent Claims (42)
- - 42. The account management system of claim 41, wherein the computer-executable instructions further comprise validating the retrieved user identity information prior to providing the retrieved user identity information to said one of the target services.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dunn, Melissa W., Jones, Matt C., Xian, Xiang
Primary Examiner(s)
TRAN, ELLEN C

Application Number

US10/395,353
Time in Patent Office

2,010 Days
Field of Search

726/6, 726/8, 726/10, 726/5
US Class Current

726/8
CPC Class Codes

G06F 21/41 where a single sign-on prov...

Managing multiple user identities in authentication environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

301 Citations

42 Claims

Specification

Use Cases

Quick Links

Others

Managing multiple user identities in authentication environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

301 Citations

42 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others