Application identity design

US 7,721,328 B2
Filed: 12/14/2004
Issued: 05/18/2010
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for providing a first set of user credentials over a public network to a first remote computer application, the method comprising:

storing a plurality of sets of user credentials including the first set of user credentials for the first remote computer application in a central repository that is accessible through an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network, each set of user credentials corresponding to one of a plurality of remote computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the remote computer applications communicate with the interoperability network via different access points on the public network;

storing a plurality of permissions in a storage medium that is accessible through the interoperability network, the plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials;

transmitting a request to the second remote computer application corresponding to the second service provider to perform, on behalf of the first user, a particular task involving the first remote computer application corresponding to the first service provider;

determining, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application; and

when the second service provider has permission to act on behalf of the first user, allowing the second remote computer application to retrieve the first set of user credentials for the first remote computer application from the central repository and to supply the retrieved first set of user credentials to the first remote computer application.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

149 Citations

33 Claims

1. A computer-implemented method for providing a first set of user credentials over a public network to a first remote computer application, the method comprising:
- storing a plurality of sets of user credentials including the first set of user credentials for the first remote computer application in a central repository that is accessible through an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network, each set of user credentials corresponding to one of a plurality of remote computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the remote computer applications communicate with the interoperability network via different access points on the public network;
  
  storing a plurality of permissions in a storage medium that is accessible through the interoperability network, the plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials;
  
  transmitting a request to the second remote computer application corresponding to the second service provider to perform, on behalf of the first user, a particular task involving the first remote computer application corresponding to the first service provider;
  
  determining, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application; and
  
  when the second service provider has permission to act on behalf of the first user, allowing the second remote computer application to retrieve the first set of user credentials for the first remote computer application from the central repository and to supply the retrieved first set of user credentials to the first remote computer application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein storing the sets of user credentials includes:
    - storing the multiple sets of user credentials for the first user in a credential storage area of the central repository, the credential storage area being associated with a user account for the first user.
  - 3. The method of claim 2, wherein the first user'"'"'s credential storage area includes the multiple sets of user credentials, each set of user being of a type that is specified by the corresponding remote computer application.
  - 4. The method of claim 3, further comprising:
    - granting permission to the second service provider to read one or more of the multiple sets of user credentials from the first user'"'"'s credential storage area of the central repository.
  - 5. The method of claim 4, wherein determining whether the second service provider has been granted permission includes:
    - determining whether the second service provider has been granted read access to the first set of user credentials in the first user'"'"'s credential storage area of the central repository.
  - 6. The method of claim 3, further comprising:
    - determining a policy for under what circumstances the second service provider is authorized to act on behalf of the first user with respect to the first remote computer application; and
      
      granting permission to the second service provider to read the first set of user credentials from the first user'"'"'s credential storage area of the central repository only when the policy is not violated.
  - 7. The method of claim 6, wherein determining whether the second service provider has been granted permission includes:
    - determining whether the policy is violated or not; and
      
      determining whether the second service provider has been granted read access to the first set of user credentials in the first user'"'"'s credential storage area of the central repository.
  - 8. The method of claim 1, wherein each remote computer application includes a description of what type of user credentials are needed to access and use the remote computer application.
  - 9. The method of claim 1, wherein the first service provider is associated with a particular addressable endpoint on the network and has the same name as the first remote computer application.
  - 10. The method of claim 1, wherein the first user is one or more of:
    - an individual user and an organization representing one or more users.
  - 11. The method of claim 1, wherein the network is an interoperability network including functionality for routing messages through the interoperability network and functionality for mediating differences in communication protocol formats between users, services, and computer applications associated with the interoperability network.

12. A system for providing a first set of user credentials over a public network to a first remote computer application, the system comprising:
- an interoperability network connecting a plurality of network nodes, each network node representing one or more of;
  
  a user, a service, and a computer application, the interoperability network being configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network;
  
  a central repository that is accessible through the interoperability network and configured to store a plurality of sets of user credentials including the first set of credentials for the first remote computer application, each set of user credentials corresponding to one of a plurality of remote computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the computer applications communicate with the interoperability network via different access points on the public network;
  
  a storage medium that is accessible through the interoperability network, the storage medium storing a plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials;
  
  the second remote computer application configured to;
  
  receive a request to perform, on behalf of a first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials, a particular task involving the first remote computer application;
  
  determine, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first computer application; and
  
  when the second service provider has permission to act on behalf of the first user, retrieve the first set of user credentials for the first remote computer application from the central repository and supply the retrieved first set of user credentials to the first remote computer application.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The system of claim 12, wherein the central repository includes:
    - a plurality of credential storage areas for storing the sets of user credentials, each credential storage area being associated with a user account for a particular user.
  - 14. The system of claim 13, wherein:
    - each user'"'"'s credential storage area includes one or more of the sets of user credentials, each set of user credentials being of a type that is specified by the corresponding computer application.
  - 15. The system of claim 14, further comprising:
    - a read permission granted to the second service provider to read one or more of the multiple sets of user credentials from the first user'"'"'s credential storage area of the central repository.
  - 16. The system of claim 15, wherein the second service provider is operable to determine whether the second service provider has been granted permission to act on behalf of the first user with respect to the first computer application by:
    - determining whether the provider of the service has been granted the read permission.
  - 17. The system of claim 14, further comprising:
    - a policy stating under what circumstances the second service provider is authorized to act on behalf of the first user with respect to the first remote computer application; and
      
      a read permission granted to the second service provider to read the first set of user credentials from the first user'"'"'s credential storage area of the central repository only when the policy is not violated.
  - 18. The system of claim 17, wherein the second service provider is operable to determine whether the second service provider has been granted permission by:
    - determining whether the policy is violated or not; and
      
      determining whether the second service provider has been granted read access to the first set of user credentials in the first user'"'"'s credential storage area of the central repository.
  - 19. The system of claim 12, wherein each computer application includes a description of what type of user credentials are needed to access and use the computer application.
  - 20. The system of claim 12, wherein the first service provider is associated with a particular addressable endpoint on the network and has the same name as the first computer application.
  - 21. The system of claim 12, wherein the first user is one or more of:
    - an individual user and an organization representing one or more users.
  - 22. The system of claim 12, wherein the network is an interoperability network including functionality for routing messages through the interoperability network and functionality for mediating differences in communication protocol formats between users, services, and computer applications associated with the interoperability network.

23. A computer program product, stored on one or more machine-readable storage media, comprising instructions operable to cause a computer to:
- store a plurality of sets of user credentials including a first set of use credentials for a first remote computer application in a central repository that is accessible through an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network, each set of user credentials corresponding to one of a plurality of computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the remote computer applications communicate with the interoperability network via different access points on the public network;
  
  store a plurality of permissions in a storage medium that is accessible through the interoperability network, the plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials;
  
  send a request to the second remote computer application corresponding to the second service provider to perform, on behalf of the first user, a particular task involving the first remote computer application corresponding to the first service provider;
  
  determine, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application; and
  
  when the second service provider has permission to act on behalf of the first user, allow the second remote computer application to retrieve the first set of user credentials for the remote computer application from the central repository and to supply the retrieved first set of user credentials to the first remote computer application.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The computer program product of claim 23, wherein the instructions to store the sets of user credentials include instructions to:
    - store the multiple sets user credentials for the first user in a credential storage area of the central repository, the credential storage area being associated with a user account for the first user.
  - 25. The computer program product of claim 24, wherein the first user'"'"'s credential storage area includes the multiple sets of user credentials, each set of user credentials being of a type that is specified by the corresponding remote computer application.
  - 26. The computer program product of claim 25, further comprising instructions to:
    - grant permission to the second service provider to read one or more of the multiple sets of user credentials from the first user'"'"'s credential storage area of the central repository.
  - 27. The computer program product of claim 26, wherein the instructions to determine whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application include instructions to:
    - determine whether the second service provider has been granted read access to the first set of user credentials in the first user'"'"'s credential storage area of the central repository.
  - 28. The computer program product of claim 25, further comprising instructions to:
    - determine a policy for under what circumstances the second service provider is authorized to act on behalf of the first user with respect to the first remote computer application; and
      
      grant permission to the second service provider to read the first set of user credentials from the first user'"'"'s credential storage area of the central repository only when the policy is not violated.
  - 29. The computer program product of claim 28, wherein the instructions to determine whether the second service provider has been granted permission include instructions to:
    - determine whether the policy is violated or not; and
      
      determine whether the second service provider has been granted read access to the first set of user credentials in the first user'"'"'s credential storage area of the central repository.
  - 30. The computer program product of claim 23, wherein each remote computer application includes a description of what type of user credentials are needed to access and use the remote computer application.
  - 31. The computer program product of claim 23, wherein the first service provider is associated with a particular addressable endpoint on the network and has the same name as the first remote computer application.
  - 32. The computer program product of claim 23, wherein the first user is one or more of:
    - an individual user and an organization representing one or more users.
  - 33. The computer program product of claim 23, wherein the network is an interoperability network including functionality for routing messages through the interoperability network and functionality for mediating differences in communication protocol formats between users, services, and computer applications associated with the interoperability network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Boulos, Thomas Nabiel, Behera, Prasanta Kumar
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
McNally; Michael S

Application Number

US11/012,639
Publication Number

US 20060075475A1
Time in Patent Office

1,981 Days
Field of Search

726/6
US Class Current

726/6
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Application identity design

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Application identity design

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links