Authentication broker service
First Claim
1. A computer-implemented method of authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service and is not issued by the relying computing entity, the method comprising:
- receiving at a broker service an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service;
identifying, by the broker service, an appropriate authentication service among a plurality of authentication services, wherein(a) a first trust relationship exists between the relying computing entity and the broker service;
(b) a second trust relationship exists between the identified authentication service and the broker service;
(c) no relevant trust relationship exists between the identified authentication service and the relying computing entity; and
(d) identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exists;
receiving an authentication response from the identified authentication service at the broker service; and
sending an authentication response from the broker service to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship.
2 Assignments
0 Petitions
Accused Products
Abstract
A user is authenticated for a relying computing entity (e.g., an enterprise) through an authentication broker service, wherein a trust relationship exists between the relying computing entity and the authentication broker service. The authentication broker service has a trust relationship with the relying computing entity and the authentication service that issued the identity of the user. The relying computing entity asks the authentication broker service to authenticate the identity of the user. The authentication broker service captures the user'"'"'s credential (or directs the authentication service to do so) and sends an authentication response (e.g., a token) to the relying computing entity in order to authenticate the identity of the user to the relying computing entity. The relying computing entity verifies the authentication response based on the trust relationship between the relying computing entity and the authentication broker service.
56 Citations
43 Claims
-
1. A computer-implemented method of authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service and is not issued by the relying computing entity, the method comprising:
-
receiving at a broker service an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service; identifying, by the broker service, an appropriate authentication service among a plurality of authentication services, wherein (a) a first trust relationship exists between the relying computing entity and the broker service; (b) a second trust relationship exists between the identified authentication service and the broker service; (c) no relevant trust relationship exists between the identified authentication service and the relying computing entity; and (d) identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exists; receiving an authentication response from the identified authentication service at the broker service; and sending an authentication response from the broker service to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A computer-readable medium encoding computer executable instructions encoding a method for authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service, the computing process comprising:
-
receiving at a broker service an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service; identifying, by the broker service, an appropriate authentication service from among a plurality of authentication services, wherein; (a) a first trust relationship exists between the relying computing entity and the broker service; (b) a second trust relationship exists between the identified authentication service and the broker service; (c) no relevant trust relationship exists between the identified authentication service and the relying computing entity; and (d) identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exits; receiving an authentication response from the identified authentication service; and sending an authentication response from the broker service to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
-
-
39. A computer system for authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service, the computing system comprising:
an authentication broker service having a first trust relationship with the relying computing entity and a second trust relationship with an appropriate authentication service identified by the authentication broker service from among a plurality of authentication services, wherein the identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exists, the authentication broker service receiving an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service, and receiving an authentication response from the appropriate authentication service, the authentication broker service further sending an authentication response to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship.
-
40. A method of establishing a brokerable trust relationship between an authentication broker service and each of a plurality of computing entities, the method comprising:
-
establishing one or more brokered authentication rules governing brokered authentication through the authentication broker service; obtaining an agreement from each computing entity to comply with the one or more brokered authentication rules; and
configuring the authentication broker service to authenticate identities of one or more users for each computing entity in accordance with the one or more brokered authentication rules, wherein the one or more users have identities issued by one or more appropriate authentication services identified by the authentication broker service from a plurality of authentication services, the one or more appropriate authentication services having trust relationships with the authentication broker service, wherein identifying of the appropriate authentication service is based at least in part on determining that the trust relationship exists. - View Dependent Claims (41)
-
-
42. A computer-readable medium encoding computer executable instructions encoding a method for establishing a brokerable trust relationship between an authentication broker service and each of a plurality of computing entities, the computer process comprising:
-
establishing one or more brokered authentication rules governing brokered authentication through the authentication broker service; obtaining an agreement from each computing entity to comply with the one or more brokered authentication rules; and
configuring the authentication broker service to authenticate identities of one or more users for each computing entity in accordance with the one or more brokered authentication rules, wherein the one or more users have identities issued by one or more appropriate authentication services identified by the authentication broker service from a plurality of authentication services, the one or more appropriate authentication services having trust relationships with the authentication broker service, wherein identifying of the appropriate authentication service is based at least in part on determining that the trust relationship exists. - View Dependent Claims (43)
-
Specification