Authentication broker service

US 7,607,008 B2
Filed: 04/01/2004
Issued: 10/20/2009
Est. Priority Date: 04/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method of authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service and is not issued by the relying computing entity, the method comprising:

receiving at a broker service an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service;

identifying, by the broker service, an appropriate authentication service among a plurality of authentication services, wherein(a) a first trust relationship exists between the relying computing entity and the broker service;

(b) a second trust relationship exists between the identified authentication service and the broker service;

(c) no relevant trust relationship exists between the identified authentication service and the relying computing entity; and

(d) identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exists;

receiving an authentication response from the identified authentication service at the broker service; and

sending an authentication response from the broker service to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user is authenticated for a relying computing entity (e.g., an enterprise) through an authentication broker service, wherein a trust relationship exists between the relying computing entity and the authentication broker service. The authentication broker service has a trust relationship with the relying computing entity and the authentication service that issued the identity of the user. The relying computing entity asks the authentication broker service to authenticate the identity of the user. The authentication broker service captures the user'"'"'s credential (or directs the authentication service to do so) and sends an authentication response (e.g., a token) to the relying computing entity in order to authenticate the identity of the user to the relying computing entity. The relying computing entity verifies the authentication response based on the trust relationship between the relying computing entity and the authentication broker service.

56 Citations

View as Search Results

43 Claims

1. A computer-implemented method of authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service and is not issued by the relying computing entity, the method comprising:
- receiving at a broker service an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service;
  
  identifying, by the broker service, an appropriate authentication service among a plurality of authentication services, wherein(a) a first trust relationship exists between the relying computing entity and the broker service;
  
  (b) a second trust relationship exists between the identified authentication service and the broker service;
  
  (c) no relevant trust relationship exists between the identified authentication service and the relying computing entity; and
  
  (d) identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exists;
  
  receiving an authentication response from the identified authentication service at the broker service; and
  
  sending an authentication response from the broker service to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1 further comprising:
    - sending the authentication request to the identified authentication service, responsive to receiving the authentication request at the broker service.
  - 3. The method of claim 1 further comprising:
    - collecting a credential of the user, responsive to receiving the authentication request at the broker service; and
      
      sending the credential to the identified authentication service for validation by the identified authentication service.
  - 4. The method of claim 1 wherein the credential cannot be interpreted by the broker service.
  - 5. The method of claim 1 wherein the broker service and the identified authentication service are hosted by a single computing system.
  - 6. The method of claim 1 wherein the broker service and the identified authentication services are hosted within a single computing entity.
  - 7. The method of claim 1 wherein authentication account information associated with the user and maintained by the identified authentication service is accessible through an interface to the identified authentication service.
  - 8. The method of claim 1 further comprising:
    - validating based on the first trust relationship that the authentication request was received by the broker service from the relying computing entity.
  - 9. The method of claim 1 wherein other computing entities have trust relationships established with the broker service.
  - 10. The method of claim 1 wherein the first trust relationship represents an agreement between the broker service and the relying computing entity to comply with one or more brokered authentication rules.
  - 11. The method of claim 1 wherein the first trust relationship represents an exchange of one or more security keys between the broker service and the relying computing entity.
  - 12. The method of claim 1 wherein the first trust relationship represents an agreement by the relying computing entity to recognize assertions provided by the broker service.
  - 13. The method of claim 1 wherein the operation of receiving at a broker service an authentication request is responsive to an access request by the user for access to the relying computing entity.
  - 14. The method of claim 1 wherein the operation of receiving at a broker service an authentication request comprises:
    - receiving the authentication request at the broker service as a redirected message through a computer system of the user.
  - 15. The method of claim 1 further comprising:
    - validating a credential received from the user by the identified authentication service.
  - 16. The method of claim 1 further comprising:
    - sending a challenge request to the user, responsive to the operation of receiving at a broker service an authentication request; and
      
      validating a credential received from the user in response to the challenge request.
  - 17. The method of claim 1 further comprising:
    - returning a session ticket to the user to allow user access to the relying computing entity.
  - 18. The method of claim 1 further comprising:
    - redirecting the user to the identified authentication service based on an identifier of the user.
  - 19. The method of claim 1 further comprising:
    - translating the authentication response received from the identified authentication service into a protocol recognized by the relying computing entity.

20. A computer-readable medium encoding computer executable instructions encoding a method for authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service, the computing process comprising:
- receiving at a broker service an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service;
  
  identifying, by the broker service, an appropriate authentication service from among a plurality of authentication services, wherein;
  
  (a) a first trust relationship exists between the relying computing entity and the broker service;
  
  (b) a second trust relationship exists between the identified authentication service and the broker service;
  
  (c) no relevant trust relationship exists between the identified authentication service and the relying computing entity; and
  
  (d) identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exits;
  
  receiving an authentication response from the identified authentication service; and
  
  sending an authentication response from the broker service to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- - 21. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - sending the authentication request to the identified authentication service, responsive to receiving the authentication request at the broker service.
  - 22. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - collecting a credential of the user, responsive to receiving the authentication request at the broker service; and
      
      sending the credential to the identified authentication service for validation by the authentication service.
  - 23. The computer-readable medium of claim 20 wherein the credential cannot be interpreted by the broker service.
  - 24. The computer-readable medium of claim 20 wherein the broker service and the identified authentication service are hosted by a single computing system.
  - 25. The computer-readable medium of claim 20 wherein the broker service and the identified authentication services are hosted within a single computing entity.
  - 26. The computer-readable medium of claim 20 wherein authentication account information associated with the user and maintained by the identified authentication service is accessible through an interface to the authentication service.
  - 27. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - validating based on the first trust relationship that the authentication request was received by the broker service from the relying computing entity.
  - 28. The computer-readable medium of claim 20 wherein other computing entities have trust relationships established with the broker service.
  - 29. The computer-readable medium of claim 20 wherein the first trust relationship represents an agreement between the broker service and the relying computing entity to comply with one or more brokered authentication rules.
  - 30. The computer-readable medium of claim 20 wherein the first trust relationship represents an exchange of one or more security keys between the broker service and the relying computing entity.
  - 31. The computer-readable medium of claim 20 wherein the first trust relationship represents an agreement by the relying computing entity to recognize assertions provided by the broker service.
  - 32. The computer-readable medium of claim 20 wherein the operation of receiving at a broker service an authentication request is responsive to an access request by the user for access to the relying computing entity.
  - 33. The computer-readable medium of claim 20 wherein the operation of receiving at a broker service an authentication request comprises:
    - receiving the authentication request at the broker service as a redirected message through a computer system of the user.
  - 34. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - validating a credential received from the user by the identified authentication service.
  - 35. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - sending a challenge request to the user, responsive to the operation of receiving at a broker service an authentication request; and
      
      validating a credential received from the user in response to the challenge request.
  - 36. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - returning a session ticket to the user to allow user access to the relying computing entity.
  - 37. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - redirecting the user to the identified authentication service based on an identifier of the user.
  - 38. The computer-readable medium of claim 20 wherein the computer process further comprises:
    - translating the authentication response received from the identified authentication service into a protocol recognized by the relying computing entity.

39. A computer system for authenticating an identity of a user seeking access to a relying computing entity, wherein the identity of the user is issued by an authentication service, the computing system comprising:
- an authentication broker service having a first trust relationship with the relying computing entity and a second trust relationship with an appropriate authentication service identified by the authentication broker service from among a plurality of authentication services, wherein the identifying of the appropriate authentication service is based at least in part on determining that the second trust relationship exists, the authentication broker service receiving an authentication request from the relying computing entity to authenticate the identity of the user, wherein the authentication request does not include an identification of an authentication service, and receiving an authentication response from the appropriate authentication service, the authentication broker service further sending an authentication response to the relying computing entity representing a trusted authentication of the identity of the user to the relying computing entity based on the first trust relationship and the second trust relationship.

40. A method of establishing a brokerable trust relationship between an authentication broker service and each of a plurality of computing entities, the method comprising:
- establishing one or more brokered authentication rules governing brokered authentication through the authentication broker service;
  
  obtaining an agreement from each computing entity to comply with the one or more brokered authentication rules; and
  
  configuring the authentication broker service to authenticate identities of one or more users for each computing entity in accordance with the one or more brokered authentication rules, wherein the one or more users have identities issued by one or more appropriate authentication services identified by the authentication broker service from a plurality of authentication services, the one or more appropriate authentication services having trust relationships with the authentication broker service, wherein identifying of the appropriate authentication service is based at least in part on determining that the trust relationship exists.
- View Dependent Claims (41)
- - 41. The method of claim 40 further comprising:
    - exchanging one or more security keys between the authentication broker service and each of the computing entities.

42. A computer-readable medium encoding computer executable instructions encoding a method for establishing a brokerable trust relationship between an authentication broker service and each of a plurality of computing entities, the computer process comprising:
- establishing one or more brokered authentication rules governing brokered authentication through the authentication broker service;
  
  obtaining an agreement from each computing entity to comply with the one or more brokered authentication rules; and
  
  configuring the authentication broker service to authenticate identities of one or more users for each computing entity in accordance with the one or more brokered authentication rules, wherein the one or more users have identities issued by one or more appropriate authentication services identified by the authentication broker service from a plurality of authentication services, the one or more appropriate authentication services having trust relationships with the authentication broker service, wherein identifying of the appropriate authentication service is based at least in part on determining that the trust relationship exists.
- View Dependent Claims (43)
- - 43. The computer-readable medium of claim 42 wherein the computer process further comprises:
    - exchanging one or more security keys between the authentication broker service and each of the computing entities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Young, Kyle S., Schiappa, Daniel Salvatore, Ahmed, Khaja E., Howard, John Hal
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tran; Tongoc

Application Number

US10/817,154
Publication Number

US 20050223217A1
Time in Patent Office

2,028 Days
Field of Search

726/2, 726/4, 726/8, 726/21, 726 27- 29, 713/155, 713168-170, 705/26, 705/44, 705 74- 76, 705/78
US Class Current

713/155
CPC Class Codes

G06F 21/31   User authentication

G06F 2221/2115   Third party

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0884   by delegation of authentica...

Authentication broker service

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

43 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication broker service

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

43 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links