Systems and methods for enabling trust in a federated collaboration

US 7,953,979 B2
Filed: 12/14/2005
Issued: 05/31/2011
Est. Priority Date: 12/15/2004
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for communicating over a federated network, the method comprising:

receiving, by an identity-providing computing device associated with an identity provider, an indication of a request by a requester for access to a resource of a service provider associated with a service-provider computing device;

transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;

receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;

responsive to a determination that a trust relationship exists, specifying, by the identity-providing computing device, an identity-assertion data structure defined by the third party policy, the identity-assertion data structure comprising at least one attribute associated with the requester;

associating, by the identity-providing computing device, the identity-assertion data structure with the request;

digitally signing, by the identity-providing computing device, the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and

transmitting, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service-provider computing device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods consistent with the present invention enable explicit and multilateral trust across a community of federated servers via a network. A trusted third party establishes a framework of policies and procedures governing a federation. Organizations joining the federation submit to an audit process of internal policies and procedures to ensure compliance with the policies and procedures of the federation. Upon successful completion of an audit, an organization may receive a digital certificate containing the digital public key of the organization and indicating approval of the trusted third party. The organization may then use the associated digital private key for signing security assertions associated with a request for resources from another federation service provider. The service provider may trust the assertion from the organization based on trust placed in trusted third party by the service provider and the trust placed in the organization by the trusted third party.

102 Citations

View as Search Results

44 Claims

1. A computer-implemented method for communicating over a federated network, the method comprising:
- receiving, by an identity-providing computing device associated with an identity provider, an indication of a request by a requester for access to a resource of a service provider associated with a service-provider computing device;
  
  transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
  
  receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  responsive to a determination that a trust relationship exists, specifying, by the identity-providing computing device, an identity-assertion data structure defined by the third party policy, the identity-assertion data structure comprising at least one attribute associated with the requester;
  
  associating, by the identity-providing computing device, the identity-assertion data structure with the request;
  
  digitally signing, by the identity-providing computing device, the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and
  
  transmitting, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service-provider computing device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the digitally-signed identity-assertion data structure comprises:
    - a first data structure comprising the attribute associated with the identity provider; and
      
      a second data structure comprising the request.
  - 3. The method of claim 1, wherein the trust relationship is determined by authentication of an authentication element.
  - 4. The method of claim 3, wherein the authentication element comprises at least one of an assertion, a claim, a token, or a credential.
  - 5. The method of claim 3, wherein authentication includes an exchange of the authentication element between the identity-providing computing device and the service-provider computing device.
  - 6. The method of claim 1, wherein the step of digitally signing the identity-assertion data structure comprises applying, by the identity-providing computing device, a digital signing algorithm based on the digital private key to the identity-assertion data structure.
  - 7. The method of claim 6, wherein the step of digitally signing the identity-assertion data structure further comprises encrypting, by the identity-providing computing device, the identity-assertion data structure.
  - 8. The method of claim 1, wherein the policy for operating the federated network is based on a published standard.
  - 9. The method of claim 1, wherein the identity-assertion data structure is created using an attribute conveyance format.
  - 10. The method of claim 9, wherein the attribute conveyance format is Security Assertion Markup Language.

11. An identity-providing computing system associated with an identity provider for providing communicating over a federated network, the system comprising:
- a communication device;
  
  a memory device storing computer-executable instructions; and
  
  a processor configured to execute the instructions to cause the identity-providing computing system to;
  
  receive an indication of a request by a requester to access a resource of a service-provider computing device associated with a service provider;
  
  transmit, via the communication device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
  
  receive, via the communication device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  specify, responsive to a determination that a trust relationship exists, an identity-assertion data structure defined by the third-party policy, the identity-assertion data structure comprising at least one attribute associated with the requester;
  
  associate the identity-assertion data structure with the request;
  
  digitally sign the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and
  
  transmit, via the communication device, the digitally-signed identity-assertion data structure to the service-provider computing device over the network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The identity-providing computing system of claim 11, wherein the digitally-signed identity-assertion data structure comprises:
    - a first data structure comprising the attribute associated with the identity provider; and
      
      a second data structure comprising the request.
  - 13. The identity-providing computing system of claim 11, wherein the processor is further configured to execute the instructions to cause the identity-providing computing system to determine existence of the trust relationship by authentication of an authentication element.
  - 14. The identity-providing computing system of claim 13, wherein the authentication element comprises at least one of an assertion, a claim, a token, or a credential.
  - 15. The identity-providing computing system of claim 13, wherein authentication includes an exchange of the authentication element between the identity-providing computing system and the service-provider computing device.
  - 16. The identity-providing computing system of claim 11, wherein the processor is further configured to execute the instruction to cause the identity-providing computing system to:
    - perform the digital signing by applying a digital signing algorithm based on the digital private key to the identity-assertion data structure.
  - 17. The identity-providing computing system of claim 16, wherein the processor is further configured to execute the instructions to cause the identity-providing computing system encrypt the identity assertion data structure.
  - 18. The identity-providing computing system of claim 11, wherein the policy for communicating on the federated network is based on a published standard.
  - 19. The identity-providing computing system of claim 11, wherein the processor is further configured to execute the instructions to cause the identity-providing computing system to create the identity-assertion data structure using an attribute conveyance format.
  - 20. The identity-providing computing system of claim 19, wherein the attribute conveyance format is Security Assertion Markup Language.

21. A non-transitory computer-readable storage medium storing instructions which, when executed by an identity-providing computing device associated with an identity provider, cause the identity-providing computing device to perform a method for communicating over a federated network, the method comprising:
- receiving an indication of a request by a requester to access a resource of a service provider associated with a service-provider computing device;
  
  transmitting a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
  
  receiving a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  responsive to a determination that a trust relationship exists, specifying an identity-assertion data structure defined by the third-party policy, the identity-assertion data structure comprising at least one attribute associated with the requester;
  
  associating the identity-assertion data structure with the request;
  
  digitally signing the identity-assertion data structure using the associated digital private key contained in the received digital certificate; and
  
  transmitting the digitally-signed identity-assertion data structure to the service-provider computing device.

22. A computer-implemented method for communicating over a federated network, the method comprising:
- determining, by an identity-providing computing device associated with an identity provider, credentials associated with a requester requesting access to a resource of a service provider associated with a service-provider computing device;
  
  transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
  
  receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  creating, by the identity-providing computing device, a first data structure comprising an identity-assertion defined by the third-party policy, wherein the first data structure comprises at least one attribute associated with the credentials;
  
  associating, by the identity-providing computing device, the first data structure with a second data structure containing the request for access to the resource of the service provider;
  
  digitally signing, by the identity-providing computing device, a set comprising the first data structure and second data structure using the associated digital private key contained in the received digital certificate, to yield a resulting digitally-signed identity-assertion data structure;
  
  providing, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service-provider computing device via the network; and
  
  receiving, by the identity-providing computing device, the requested resource via the network from the service-provider computing device, wherein the service-provider computing device transmits the requested resource based on a first trust relationship between the service provider and the trusted third party and on a second trust relationship between the trusted third party and the identity provider.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The method of claim 22, wherein determining credentials comprises authenticating the requester.
  - 24. The method of claim 22, wherein the first data structure is created using an attribute conveyance format.
  - 25. The method of claim 24, wherein the attribute conveyance format is Security Assertion Markup Language.
  - 26. The method of claim 22, wherein the attribute is required by the third-party policy for communicating on the federated network.
  - 27. The method of claim 22, wherein the third-party policy for communicating on the federated network is defined by the trusted third party.
  - 28. The method of claim 22, wherein the step of digitally signing the set comprises applying a digital signing algorithm to the identity-assertion data structure based on the digital private key.
  - 29. The method of claim 28, further comprising encrypting the resulting digitally-signed identity-assertion data structure.
  - 30. The method of claim 28, wherein the digital certificate specifies requirements related to the first data structure.
  - 31. The method of claim 28, wherein the third-party policy specifies a size for the digital private key.

32. An identity-providing computing system associated with an identity provider for communicating over a federated network, the system comprising:
- a communication device;
  
  a memory device storing computer-executable instructions; and
  
  a processor configured to execute the instructions to cause the identity-providing computing system to;
  
  determine credentials associated with a requester requesting access to a resource from a service-provider computing device associated with a service provider;
  
  transmit, via the communication device, a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
  
  receive, via the communication device, a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  create a first data structure comprising an identity assertion defined by the third-party policy, wherein the first data structure comprises at least one attribute associated with the credentials;
  
  group the first data structure with a second data structure containing the request for access to the resource of the service provider;
  
  digitally sign the group comprising the first data structure and second data structure using the associated digital private key contained in the received digital certificate, to yield a resulting digitally-signed identity-assertion data structure;
  
  transmit, using the communication device, the resulting digitally-signed identity-assertion data structure to the service-provider computing device via the network; and
  
  receive, via the communication device, the requested resource via the network from the service-provider computing device, wherein the service-provider computing device transmits the requested resource based on a first trust relationship between the service provider and the trusted third party and on a second trust relationship between the trusted third party and the identity provider.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
- - 33. The identity-providing computing system of claim 32, wherein the first data structure is created using an attribute conveyance format.
  - 34. The identity-providing computing system of claim 33, wherein the attribute conveyance format is Security Assertion Markup Language.
  - 35. The identity-providing computing system of claim 32, wherein the attribute is required by the third-party policy for communicating on the federated network.
  - 36. The identity-providing computing system of claim 32, wherein the processor is further configured to execute the instructions to cause the identity-providing computing system to:
    - apply a digital signing algorithm, based on the digital private key, to the group comprising the first data structure and second data structure to yield the resulting digitally-signed identity-assertion data structure.
  - 37. The identity-providing computing system of claim 36, wherein the processor is further configured to execute the instructions to cause the identity-providing computing system to encrypt the resulting digitally-signed identity-assertion data structure.
  - 38. The identity-providing computing system of claim 36, wherein the digital certificate specifies requirements related to the first data structure.
  - 39. The identity-providing computing system of claim 36, wherein the third-party policy for communicating on the federated network specifies a size for the digital private key.

40. A non-transitory computer-readable storage medium storing code that, when executed by an identity-providing computing device associated with an identity provider, causes the identity-providing computing device to perform a method for communicating over a federated network, the method comprising:
- determining credentials associated with a requester requesting access to a resource of a service provider associated with a service-provider computing device;
  
  transmitting a digital public key to a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider;
  
  receiving a digital certificate from the trusted third-party computing device, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  creating a first data structure comprising an identity assertion consistent with the third-party policy for communicating on the federated network, wherein the first data structure comprises at least one attribute associated with the credentials;
  
  associating the first data structure with a second data structure containing the request for the resource of the service provider;
  
  digitally signing, using the associated digital private key contained in received digital certificate, a set comprising the first data structure and second data structure to yield a resulting digitally-signed identity-assertion data structure;
  
  providing the digitally-signed identity-assertion data structure to the service-provider computing device via the network; and
  
  receiving the requested resource via the network from the service-provider computing device, wherein the service-provider computing device transmits the requested resource based on a first trust relationship between the service provider and the trusted third party and on a second trust relationship between the trusted third party and the identity provider.

41. A method for enabling transitive trust in a federated network configuration including an identity-provider computing associated with an identity provider and a service-provider computing device associated with a service provider, the method comprising:
- developing, by actions of a trusted third party of the identity provider and the service provider, policies related to operating the federated network configuration, wherein the policies include procedures for;
  
  associating, by the identity-provider computing device, attributes of a requester with a request to access to a resource of the service provider computing device;
  
  transmitting, by the identity-providing computing device, a digital public key to a trusted third-party computing device associated with the trusted third party;
  
  receiving, by the identity-providing computing device, a digital certificate from the trusted third-party computing device, the digital certificate being issued to the identity provider by the trusted third party and indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network,wherein the digital certificate contains a digital private key associated with the provided digital public key;
  
  responsive to a determination that a trust relationship exists, specifying, by the identity-providing computing device, an identity-assertion data structure defined by the third-party policy, the identity-assertion data structure including the attributes;
  
  digitally signing, by the identity-providing computing device, the identity-assertion data structure using the associated digital private key contained in the received digital certificate;
  
  transmitting, by the identity-providing computing device, the digitally-signed identity-assertion data structure to the service provider computing device;
  
  transmitting the requested resource, by the service-provider computing device, to the identity-providing computing device based on a first trust relationship established between the service provider and the trusted third party and on a second trust relationship established between the trusted third party and the identity provider;
  
  granting access to the third-party policy for communicating on the federated network;
  
  auditing an applicant to the federated network configuration for compliance with the policy; and
  
  issuing a digital certificate to the applicant based on a result of the audit.

42. A computer-implemented method for communicating on a federated network including a service-provider computing device associated with a service provider and an identity-provider computing device associated with an identity provider, the method comprising:
- receiving, by the service provider-computing device, a digitally-signed identity-assertion data structure from the identity-provider computing device including a request to access a resource of the service-provider and at least one attribute associated with the requester,the data structure signed using digital private key contained in a digital certificate received by the identity-provider computing device from a trusted third-party computing device associated with a trusted third party of the identity provider and the service provider, the digital certificate indicating that the trusted third party has audited and approved policies of the identity provider for compliance with policies of the trusted third party for communicating on the federated network;
  
  determining, by the service-provider computing device, whether the digital certificate issued to the identity provider complies with the policies of the trusted third party for communicating on the federated network;
  
  parsing, by the service-provider computing device, the identity-assertion data structure to determine whether the content of the identity-assertion data structure complies with the policies of the trusted third party for communicating on the federated network; and
  
  when it is determined that either the digital certificate or the content of the identity-assertion data structure does not comply with the policies of the trusted third party for communicating on the federated network;
  
  logging a breach of the third-party policy by transmitting a notification of breach to an audit server maintained by the trusted third party.
- View Dependent Claims (43, 44)
- - 43. The method of claim 42, further comprising when it is determined that the digital certificate and the content of the identity-assertion data structure comply with the third-party policy:
    - determining, by the service-provider computing device, whether the requester is privileged to access the requested resource based on the at least one attribute; and
      
      providing access to the requested resource when it is determined that the requester is privileged.
  - 44. The method of claim 42, further comprising transmitting an e-mail notification of the breach to an account associated with an administrator of the trusted third party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Exostar Corp.
Original Assignee
Exostar Corp.
Inventors
Nigriny, Jeffrey Dean, Kobielus, James Gerard, Borneman, Christopher Allen, Takanti, Vijay Kumar, Sherwood, Robert Edmund
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/302,284
Publication Number

US 20060129817A1
Time in Patent Office

1,994 Days
Field of Search

726/5, 726/10, 713/201
US Class Current

713/175
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/101   Access control lists [ACL]

H04L 67/53   using third party service p...

H04L 69/329   in the application layer [O...

Systems and methods for enabling trust in a federated collaboration

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

102 Citations

44 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for enabling trust in a federated collaboration

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

102 Citations

44 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links