Application identity design
First Claim
1. A computer-implemented method for providing a first set of user credentials over a public network to a first remote computer application, the method comprising:
- storing a plurality of sets of user credentials including the first set of user credentials for the first remote computer application in a central repository that is accessible through an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network, each set of user credentials corresponding to one of a plurality of remote computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the remote computer applications communicate with the interoperability network via different access points on the public network;
storing a plurality of permissions in a storage medium that is accessible through the interoperability network, the plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials;
transmitting a request to the second remote computer application corresponding to the second service provider to perform, on behalf of the first user, a particular task involving the first remote computer application corresponding to the first service provider;
determining, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application; and
when the second service provider has permission to act on behalf of the first user, allowing the second remote computer application to retrieve the first set of user credentials for the first remote computer application from the central repository and to supply the retrieved first set of user credentials to the first remote computer application.
5 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.
149 Citations
33 Claims
-
1. A computer-implemented method for providing a first set of user credentials over a public network to a first remote computer application, the method comprising:
-
storing a plurality of sets of user credentials including the first set of user credentials for the first remote computer application in a central repository that is accessible through an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network, each set of user credentials corresponding to one of a plurality of remote computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the remote computer applications communicate with the interoperability network via different access points on the public network; storing a plurality of permissions in a storage medium that is accessible through the interoperability network, the plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials; transmitting a request to the second remote computer application corresponding to the second service provider to perform, on behalf of the first user, a particular task involving the first remote computer application corresponding to the first service provider; determining, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application; and when the second service provider has permission to act on behalf of the first user, allowing the second remote computer application to retrieve the first set of user credentials for the first remote computer application from the central repository and to supply the retrieved first set of user credentials to the first remote computer application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for providing a first set of user credentials over a public network to a first remote computer application, the system comprising:
-
an interoperability network connecting a plurality of network nodes, each network node representing one or more of;
a user, a service, and a computer application, the interoperability network being configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network;a central repository that is accessible through the interoperability network and configured to store a plurality of sets of user credentials including the first set of credentials for the first remote computer application, each set of user credentials corresponding to one of a plurality of remote computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the computer applications communicate with the interoperability network via different access points on the public network; a storage medium that is accessible through the interoperability network, the storage medium storing a plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials; the second remote computer application configured to; receive a request to perform, on behalf of a first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials, a particular task involving the first remote computer application; determine, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first computer application; and when the second service provider has permission to act on behalf of the first user, retrieve the first set of user credentials for the first remote computer application from the central repository and supply the retrieved first set of user credentials to the first remote computer application. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A computer program product, stored on one or more machine-readable storage media, comprising instructions operable to cause a computer to:
-
store a plurality of sets of user credentials including a first set of use credentials for a first remote computer application in a central repository that is accessible through an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent service providers in communication with the interoperability network, each set of user credentials corresponding to one of a plurality of computer applications under control of a corresponding one of the independent service providers, the independent service providers being non-federated entities that do not employ a common identity federation protocol, the independent service providers including a first service provider corresponding to the first remote computer application, and a second service provider corresponding to a second remote computer application, wherein at least some of the remote computer applications communicate with the interoperability network via different access points on the public network; store a plurality of permissions in a storage medium that is accessible through the interoperability network, the plurality of permissions including a first permission for the second service provider to act on behalf of a first user with respect to the first remote computer application, the first user corresponding to multiple ones of the sets of user credentials including the first set of user credentials; send a request to the second remote computer application corresponding to the second service provider to perform, on behalf of the first user, a particular task involving the first remote computer application corresponding to the first service provider; determine, based on one or more of the permissions stored in the storage medium, whether the second service provider has been granted permission to act on behalf of the first user with respect to the first remote computer application; and when the second service provider has permission to act on behalf of the first user, allow the second remote computer application to retrieve the first set of user credentials for the remote computer application from the central repository and to supply the retrieved first set of user credentials to the first remote computer application. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
Specification