Invocation of a third party's service

US 8,028,325 B2
Filed: 02/06/2006
Issued: 09/27/2011
Est. Priority Date: 08/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method for invoking a computer implemented service on a computer system including at least one processor, the method comprising:

receiving a request from a first user to access a service associated with a second user that is different than the first user, the request including a security token specific to the first user and including at least one of an identity token specific to the second user and a pointer to the identity token specific to the second user, wherein one of the first and second users is a guardian of the other user, wherein receiving the request from the first user to invoke a service associated with the second user comprises receiving the request from the first user to invoke a service for which the second user is a registered user and for which the first user cannot otherwise independently access, and wherein the identity token comprises a Security Assertions Mark-up Language (SAML) assertion;

accessing the security token;

determining, using the at least one processor, the acceptability of the security token to authenticate the first user;

accessing the identity token;

determining, using the at least one processor, the acceptability of the identity token to securely identify the second user; and

enabling the first user to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Invoking a computer implemented service includes receiving a request from a first user to access a service associated with a second user. The request is associated with a security token for the first user and an identity token for the second user. The acceptability of the security token is determined to authenticate the first user, and the acceptability of the identity token is determined to securely identify the second user. The first user is able to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.

30 Citations

View as Search Results

38 Claims

1. A method for invoking a computer implemented service on a computer system including at least one processor, the method comprising:
- receiving a request from a first user to access a service associated with a second user that is different than the first user, the request including a security token specific to the first user and including at least one of an identity token specific to the second user and a pointer to the identity token specific to the second user, wherein one of the first and second users is a guardian of the other user, wherein receiving the request from the first user to invoke a service associated with the second user comprises receiving the request from the first user to invoke a service for which the second user is a registered user and for which the first user cannot otherwise independently access, and wherein the identity token comprises a Security Assertions Mark-up Language (SAML) assertion;
  
  accessing the security token;
  
  determining, using the at least one processor, the acceptability of the security token to authenticate the first user;
  
  accessing the identity token;
  
  determining, using the at least one processor, the acceptability of the identity token to securely identify the second user; and
  
  enabling the first user to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 33, 34, 35, 36, 37, 38)
- - 2. The method of claim 1, wherein receiving the request from the first user to invoke a service associated with the second user comprises receiving the request from the first user to invoke a service for which the second user is a registered user and the first user is not a registered user.
  - 3. The method of claim 1, wherein receiving the request from the first user comprises receiving a message from the first user that includes a header portion having the identity token.
  - 4. The method of claim 3, wherein the header portion additionally includes the security token or a pointer to the security token.
  - 5. The method of claim 4, wherein the security token or the pointer to the security token is contained in a security context in the header portion.
  - 6. The method of claim 5, wherein the security context comprises a Web Services Security (WS-Security) context.
  - 7. The method of claim 5, wherein the security context additionally includes one or more rules or conditions for permissible use of the security token.
  - 8. The method of claim 5, wherein the header portion includes a container configured to contain the identity token, the container being distinct from the security context.
  - 9. The method of claim 1, wherein the security token comprises a Security Assertions Mark-up Language (SAML) assertion or a SAML authentication assertion.
  - 10. The method of claim 1, wherein determining the acceptability of the security token to authenticate the first user comprises determining that the security token is valid.
  - 11. The method of claim 10, wherein determining that the security token is valid comprises determining that the security token is signed by a trusted issuing authority.
  - 12. The method of claim 1, wherein determining the acceptability of the security token to authenticate the first user comprises determining that the security token is used by the first user in accordance with one or more permissible use requirements.
  - 13. The method of claim 12, wherein the permissible use requirements include one or more of:
    - a requirement that the security token be received during a predetermined time period, a requirement that the security token be sent to an authorized recipient, and a requirement that the security token be received from an authorized sender.
  - 14. The method of claim 1, wherein determining the acceptability of the identity token to securely identify the second user comprises determining that the identity token is valid.
  - 15. The method of claim 14, wherein determining that the identity token is valid comprises determining that the identity token is signed by a trusted issuing authority.
  - 16. The method of claim 1, wherein determining the acceptability of the identity token to securely identify the second user comprises determining that the identity token is used by the first user in accordance with one or more permissible use requirements.
  - 17. The method of claim 16, wherein the permissible use requirements include one or more of:
    - a requirement that the identity token be received during a predetermined time period, a requirement that the identity token be sent to an authorized recipient, and a requirement that the identity token be received from an authorized sender.
  - 18. The method of claim 1, further comprising determining whether the first user is authorized to access the service associated with the second user.
  - 19. The method of claim 18, wherein enabling the first user to access the service associated with the second user is further conditioned on the first user being authorized to access the service associated with the second user.
  - 20. The method of claim 18, wherein determining whether the first user is authorized to access the service associated with the second user comprises accessing a set of preferences associated with the second user to determine whether to authorize the first user to access the service.
  - 21. The method of claim 20, wherein:
    - the service comprises a group of service features, andenabling the first user to access the service comprises enabling the first user to access only a subset of the group of service features conditioned on the set of preferences including a preference to limit the access of the first user to the subset of service features.
  - 22. The method of claim 21, wherein the subset of service features comprises a subset of service features specified by the second user.
  - 23. The method of claim 21, wherein the service comprises an image storage service and the subset of service features includes service features related to viewing images stored by the second user.
  - 24. The method of claim 23, wherein the subset excludes service features related to one or more of:
    - deleting images, adding images, and changing the organization of image storage.
  - 25. The method of claim 21, wherein the service comprises an address book or calendar service and the subset of service features includes service features related to viewing all or selected calendar entries or address book entries.
  - 26. The method of claim 25, wherein the subset excludes service features related to one or more of:
    - adding calendar or address book entries, deleting calendar or address book entries, and editing calendar or address book entries.
  - 27. The method of claim 20, wherein the set of preferences include a time limit or window of time during which the first user is authorized to access the service.
  - 28. The method of claim 20, wherein the set of preferences deny authorization to the first user if more than a predetermined number of requests by the first user to invoke the second user'"'"'s service were received from the first user in the past.
  - 29. The method of claim 28, wherein the service comprises a pay-per-view service and the set of preferences deny authorization to the first user if more than a predetermined number of requests to watch a video were received from the first user in the past.
  - 30. The method of claim 29, wherein the predetermined number of requests is specified by the second user.
  - 33. The method of claim 1, wherein receiving the request comprises receiving a request that includes the security token and the identity token.
  - 34. The method of claim 1, wherein receiving the request comprises receiving a request that includes the security token and the pointer to the identity token.
  - 35. The method of claim 1, wherein receiving the request comprises receiving a request that includes a message header and a message body, the message header including the security token and including the identity token or the pointer to the identity token.
  - 36. The method of claim 35, wherein receiving the request comprises receiving a request that includes the message header and the message body, the message header including the security token and the identity token.
  - 37. The method of claim 36, wherein:
    - accessing the security token comprises extracting the security token from the message header, andaccessing the identity token comprises extracting the identity token from the message header.
  - 38. The method of claim 37, wherein:
    - extracting the security token from the message header comprises extracting a first SAML assertion or a first SAML authentication assertion from the message header, andextracting the identity token from the message header comprises extracting a second SAML assertion or a second SAML authentication assertion from the message header, the second SAML assertion being different from the first SAML assertion and the second SAML authentication assertion being different from the first SAML authentication assertion.

31. A computer system including:
- at least one non-transient memory that stores instructions;
  
  at least one microprocessor for invoking a computer implemented service, the at least one microprocessor executing the instructions to perform steps comprising;
  
  receive a request from a first user to access a service associated with a second user that is different than the first user, the request including with a security token specific to the first user and including at least one of an identity token specific to the second user and a pointer to the identity token specific to the second user, wherein one of the first and second users is a guardian of the other user, wherein receiving the request from the first user to invoke a service associated with the second user comprises receiving the request from the first user to invoke a service for which the second user is a registered user and for which the first user cannot otherwise independently access, and wherein the identity token comprises a SAML assertion;
  
  determine the acceptability of the security token to authenticate the first user; and
  
  determine the acceptability of the identity token to securely identify the second user; and
  
  enable the first user to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.

32. A non-transient computer readable storage medium containing instructions that, when executed by a microprocessor, cause the microprocessor to perform steps comprising:
- receiving a request from a first user to access a service associated with a second user that is different than the first user, the request including a security token specific to the first user and including at least one of an identity token specific to the second user and a pointer to the identity token specific to the second user, wherein one of the first and second users is a guardian of the other user, wherein receiving the request from the first user to invoke a service associated with the second user comprises receiving the request from the first user to invoke a service for which the second user is a registered user and for which the first user cannot otherwise independently access, and wherein the identity token comprises a SAML assertion;
  
  determining the acceptability of the security token to authenticate the first user;
  
  determining the acceptability of the identity token to securely identify the second user; and
  
  enabling the first user to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
AOL Inc. (Apollo Global Management, Inc.)
Inventors
Cahill, Conor P.
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
RAHMAN, MOHAMMAD L

Application Number

US11/347,573
Publication Number

US 20070033148A1
Time in Patent Office

2,059 Days
Field of Search

380/201, 726/9, 726/2, 713/169
US Class Current

726/2
CPC Class Codes

G06Q 10/10 Office automation; Time man...

G06Q 20/367 involving electronic purses...

Invocation of a third party's service

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Invocation of a third party's service

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links