Security claim transformation with intermediate claims

US 7,748,046 B2
Filed: 04/29/2005
Issued: 06/29/2010
Est. Priority Date: 04/29/2005
Status: Active Grant

First Claim

Patent Images

1. One or more device-readable storage media encoded with device-executable instructions including steps comprising:

receiving, at an identity provider, a request for information from a resource provider to authenticate an account;

retrieving a security claim associated with the account, the security claim being provided by an account store in a first format that is unique to the account store, wherein the account store is one of a plurality of account stores associated with the identity provider, wherein each of the plurality of account stores is associated with a unique format;

transforming the security claim from the first format to an intermediate format using a first transformation rule associated with the account store, wherein the security claim in the first format and the security claim in the intermediate format contain semantically the same information;

transforming the security claim from the intermediate format to a second format using a second transformation rule associated with the resource provider, the second format recognized by the resource provider;

providing the security claim in the second format to the resource provider.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods directed at transforming security claims in a federated authentication system using an intermediate format. The systems and methods described herein are directed at transforming security claims in a federated authentication system using an intermediate format. The federated authentication system includes an identity provider and a resource provider. The identity provider receives a request for information from the resource provider to authenticate an account by an application associated with the resource provider. A security claim associated with the account is retrieved where the security claim is provided by an account store in a format specific to the account store. The security claim is transformed from the account store specific format to an intermediate format. The security claim is then transformed from the intermediate format to a federated format recognized by the resource provider. The transformed security claim is provided in a security token to the resource provider. A similar two step transformation process using intermediate claims can also be implemented by the resource provider to transform security claims provided by an identity provider from a federated format to formats recognized by the applications.

38 Citations

View as Search Results

18 Claims

1. One or more device-readable storage media encoded with device-executable instructions including steps comprising:
- receiving, at an identity provider, a request for information from a resource provider to authenticate an account;
  
  retrieving a security claim associated with the account, the security claim being provided by an account store in a first format that is unique to the account store, wherein the account store is one of a plurality of account stores associated with the identity provider, wherein each of the plurality of account stores is associated with a unique format;
  
  transforming the security claim from the first format to an intermediate format using a first transformation rule associated with the account store, wherein the security claim in the first format and the security claim in the intermediate format contain semantically the same information;
  
  transforming the security claim from the intermediate format to a second format using a second transformation rule associated with the resource provider, the second format recognized by the resource provider;
  
  providing the security claim in the second format to the resource provider.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The one or more device-readable storage media as recited in claim 1 the steps further comprising identifying the first transformation rule associated with the account store from a set of rules maintained by the identity provider, each rule in the set associated with a corresponding account store.
  - 3. The one or more device-readable storage media as recited in claim 2, the steps further comprising:
    - identifying a new account store associated with the identity provider;
      
      determining a new format associated with the new account store;
      
      determining a new rule to transform the new format to the intermediate format;
      
      incorporating the new rule into the set of rules maintained by the identity provider; and
      
      associating the new rule with the new account store for processing security claims provided by the new account store.
  - 4. The one or more device-readable storage media as recited in claim 1, the steps further comprising:
    - identifying the second transformation rule associated with the resource provider from a set of rules maintained by the identity provider, each rule in the set associated with a corresponding resource provider.
  - 5. The one or more device-readable storage media as recited in claim 4, the steps further comprising:
    - identifying a new resource provider associated with the identity provider;
      
      determining a new format associated with the new resource provider;
      
      determining a new rule to transform the new format to the intermediate format;
      
      incorporating the new rule into the set of rules maintained by the identity provider; and
      
      associating the new rule with the new resource provider for processing security claims provided to the new resource provider.
  - 6. The one or more device-readable storage media as recited in claim 1, the steps further comprising:
    - receiving the security claim in the second format by the resource provider;
      
      transforming the security claim to another intermediate format associated with the resource provider;
      
      identifying the application to which the-security claim is destined;
      
      transforming the security claim from the other intermediate format to a third format using a third transformation rule associated with the identified application, the third format recognized by the application;
      
      providing the security claim in the third format to the application.
  - 7. The one or more device-readable storage media as recited in claim 6, the steps further comprising identifying the third transformation rule from a set of rules maintained by the resource provider, each rule in the set associated with a corresponding application.
  - 8. The one or more device-readable storage media as recited in claim 7, the steps further comprising:
    - identifying a new application associated with the resource provider;
      
      determining a third format associated with claims requested by the resource provider;
      
      determining a new rule to transform claims in the intermediate format to the third format;
      
      incorporating the new rule to the set of rules maintained by the resource provider; and
      
      associating the new rule with the new application for processing security claims destined for the new application.
  - 9. A computing device configured to read the one or more device-readable storage media and to perform the steps as recited in claim 1.

10. One or more device-readable storage media encoded with device-executable components comprising:
- account stores configured to maintain data associated with accounts, each account store further configured to provide a security claim in a format specific to the account store, wherein the account stores include at least one of;
  
  Active Directory (AD), Active Directory Application Mode (ADAM), or Structured Query Language (SQL) systems; and
  
  an identity provider security token service (STS-IP) configured to retrieve the security claims provided by the account stores, the STS-IP also configured to transform each security claim from the format specific to the account store providing the security claim to an intermediate format, wherein each security claim in the format specific to the account store providing the security claim and in the intermediate format contain semantically the same information, the STS-IP further configured to transform the security claim from the intermediate format to a federated format specific to a resource provider to which the security claim is to be sent.
- View Dependent Claims (11, 12, 13)
- - 11. The one or more device-readable storage media as recited in claim 10, further comprising a resource provider security token service (STS-RP) configured to receive security claims from the STS-IP, the STS-RP also configured to transform each security claim from the federated format to another intermediate format, the STS-RP further configured to transform each security claim from the another intermediate format to a format specific to an application to which the security claim is destined.
  - 12. The one or more device-readable storage media as recited in claim 11, wherein at least one of the STS-IP, the STS-RP, or the account stores are implemented in a Federation Service (FS).
  - 13. The one or more device-readable storage media as recited in claim 11, wherein at least one of the STS-IP or the STS-RP is configured to perform security claim transformation with string comparisons.

14. A federated authentication system having one or more computing devices, the federated authentication system comprising:
- means for receiving information for authenticating a user seeking access to services provided by a resource provider;
  
  means for receiving a security claim associated with the user from an account store in an identity provider system, wherein the security claim is in an account store specific format associated with the account store, wherein the account store is one of a plurality of account stores associated with the identity provider system, wherein each of the plurality of account stores is associated with a distinct account store specific format;
  
  means for transforming the security claim from the account store specific format to an intermediate format, wherein the security claim in the account store specific format and the security claim in the intermediate format contain semantically the same information;
  
  means for transforming the security claim from the intermediate format to a federated format recognized by the resource provider; and
  
  means for providing the security claim in the federated format to the resource provider using a security token.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The federated authentication system as recited in claim 14, wherein the identity provider system include multiple account stores and multiple resource providers, wherein the multiple account stores comprise at least the plurality of account stores, and wherein a first set of rules associated with the multiple account stores are used to transform individual security claims from individual account store specific formats to the intermediate format, and wherein a second set of rules associated with the multiple resource providers are used to transform security claims from the intermediate format to federated formats corresponding to the resource providers.
  - 16. The federated authentication system as recited in claim 15, further comprising:
    - means for implementing only M number of rules in the first set, wherein M is equal to a number of the account stores in the identity provider system; and
      
      means for implementing only N number of rules in the second set, wherein N is equal to a number of resource providers.
  - 17. The federated authentication system as recited in claim 16, further comprising means for providing security claim transformation for a new account store in the identity provider system by adding only one rule in the first set.
  - 18. The federated authentication system as recited in claim 16, further comprising means for providing security claim transformation for a new resource provider by adding only one rule in the second set.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Nori, Vijayavani, Johnson, Ryan D., Tevosyan, Kahren, Schmidt, Donald E., Spelman, Jeffrey F.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Tran; Tongoc

Application Number

US11/119,236
Publication Number

US 20060248598A1
Time in Patent Office

1,887 Days
Field of Search

726/6, 726 18- 20, 726/1, 726/2, 726/27, 713/168, 713/170, 713/172, 713/175, 713/185, 705/66, 705/67, 707 1- 3
US Class Current

726/27
CPC Class Codes

G06F 21/33   using certificates

G06F 21/6236   between heterogeneous systems

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

Security claim transformation with intermediate claims

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

38 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Security claim transformation with intermediate claims

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links