Provisioning of digital identity representations

US 8,087,072 B2
Filed: 09/17/2007
Issued: 12/27/2011
Est. Priority Date: 01/18/2007
Status: Active Grant

First Claim

Patent Images

1. A system for provisioning a digital identity representation for a principal, comprising:

a digital identity representation generation system for generating the digital identity representation;

an identity provider for generating an identity token in response to receiving an identity-token request, wherein the identity-token request is generated in response to selection of the digital identity representation; and

an identity data store, operatively connected to the identity provider and to the digital identity representation generation system;

wherein the digital identity representation generation system accesses the identity data store to determine at least one type of identity claim available to be included in the generated digital identity representation and wherein the identity provider accesses the identity data store in generating the identity token.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for provisioning digital identity representations (“DIRs”) uses various techniques and structures to ease administration, increase accuracy, and decrease inconsistencies of a digital-identity provisioning system. A system is provided using a common identity data store for both DIR issuance and identity token issuance, decreasing synchronization issues. Various methods are provided for creating new DIRs, notifying principals of available DIRs, and approving issuance of new DIRs.

171 Citations

20 Claims

1. A system for provisioning a digital identity representation for a principal, comprising:
- a digital identity representation generation system for generating the digital identity representation;
  
  an identity provider for generating an identity token in response to receiving an identity-token request, wherein the identity-token request is generated in response to selection of the digital identity representation; and
  
  an identity data store, operatively connected to the identity provider and to the digital identity representation generation system;
  
  wherein the digital identity representation generation system accesses the identity data store to determine at least one type of identity claim available to be included in the generated digital identity representation and wherein the identity provider accesses the identity data store in generating the identity token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the digital identity representation generation system is further adapted to:
    - receive a request through a first channel to create the digital identity representation for the principal;
      
      issue a notification through a second channel that the digital identity representation has been requested; and
      
      receive an approval for the digital identity representation to be created.
  - 3. The system of claim 1, wherein the digital identity representation generation system is further adapted to:
    - issue a notification that one or more digital identity representations are available for the principal; and
      
      receive a request to create the one or more digital identity representations.
  - 4. The system of claim 1, further comprising a principal machine, wherein the principal machine is adapted to:
    - poll the digital identity representation generation system to determine whether a new digital identity representation is available to the principal;
      
      request that the new digital identity representation be created; and
      
      receive the new digital identity representation.
  - 5. The system of claim 1, further comprising an administrator machine, controlled by an administrator and adapted to set a policy that a group of principals are permitted access to the digital identity representation, and wherein the group of principals are notified that the digital identity representation is available and the digital identity representation generation system is adapted to receive a request from at least a first principal in the group of principals to create the digital identity representation.
  - 6. The system of claim 1, wherein the identity data store includes at least a first category of data and a second category of data, further comprising:
    - an administrator machine, operatively connected to the identity data store, for creating a change in at least the first category of data;
      
      wherein, after the change, the digital identity representation generation system generates digital identity representations that reflect the change and the identity provider generates identity tokens that reflect the change.
  - 7. The system of claim 6, wherein, if the change affects the validity of any digital identity representation already generated by the digital identity representation generation system, the digital identity representation generation system notifies each principal that received the affected digital identity representation and creates a new digital identity representation reflecting the change.
  - 8. The system of claim 1, wherein the digital identity representation generation system is further adapted to cryptographically protect the digital identity representation and send the cryptographically protected digital identity representation to a principal machine.
  - 9. The system of claim 1, further comprising:
    - an administrator machine for creating a first digital identity representation descriptor; and
      
      a principal machine for requesting a digital identity representation conforming to the first digital identity representation descriptor.

10. A method for provisioning a digital identity representation for a principal, comprising:
- authenticating the principal to a digital identity representation generation system using sign-on information;
  
  receiving a request for a digital identity representation;
  
  generating the digital identity representation for the principal, wherein the digital identity representation is secured using at least some of the sign-on information such that the sign-on information must be provided before the digital identity representation can be used; and
  
  sending the digital identity representation to a principal machine.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method of claim 10, wherein the sign-on information comprises at least some log-on information used to log onto the principal machine.
  - 12. The method of claim 10, further comprising the step of:
    - creating a first digital identity representation descriptor;
      
      wherein the requested digital identity representation conforms to the first digital identity representation descriptor.
  - 13. The method of claim 10, further comprising the step, before the step of authenticating, of:
    - issuing a notification to the principal that the digital identity representation is available to the principal.
  - 14. The method of claim 10, wherein the step of receiving a request comprises receiving the request for the digital identity representation through a first channel, and further comprising the steps of:
    - issuing a notification through a second channel that the digital identity representation has been requested; and
      
      receiving approval for the digital identity representation to be generated.
  - 15. The method of claim 10, further comprising the step, prior to the step of generating, of:
    - determining whether the principal is a member of a group approved to receive the digital identity representation.
  - 16. The method of claim 10, further comprising the step of:
    - responding to a request as to whether any digital identity representations are available to the principal.

17. A system for provisioning a digital identity representation for a principal, comprising:
- a processing unit;
  
  a memory, operably connected to the processing unit and including instructions that, when executed by the processing unit, cause the processing unit to perform a method, the method comprising the steps of;
  
  authenticating the principal to a digital identity representation generation system using sign-on information;
  
  receiving a request for a digital identity representation;
  
  generating the digital identity representation for the principal, wherein the digital identity representation is secured using at least some of the sign-on information such that the sign-on information must be provided before the digital identity representation can be used; and
  
  sending the digital identity representation to a principal machine.
- View Dependent Claims (18, 19, 20)
- - 18. The system of claim 17, wherein the sign-on information comprises at least some log-on information used to log onto the principal machine.
  - 19. The system of claim 17, wherein the step of receiving a request comprises receiving the request for the digital identity representation through a first channel, and the method further comprises the steps of:
    - issuing a notification through a second channel that the digital identity representation has been requested; and
      
      receiving approval for the digital identity representation to be generated.
  - 20. The system of claim 17, wherein the method further comprises the step, prior to the step of generating, of:
    - determining whether the principal is a member of a group approved to receive the digital identity representation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Gajjala, Vijay K., Brace, Colin H., Del Conte, Derek T., Cameron, Kim, Nanda, Arun K., Wilson, Hervey O., Kwan, Stuart L. S., Raj, Rashmi, Nori, Vijayavani
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Durham, Imhotep

Application Number

US11/856,617
Publication Number

US 20080178271A1
Time in Patent Office

1,562 Days
Field of Search

726/6
US Class Current

726/6
CPC Class Codes

G06F 21/33   using certificates

H04L 2209/56   Financial cryptography, e.g...

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 9/3213   using tickets or tokens, e....

Provisioning of digital identity representations

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

171 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Provisioning of digital identity representations

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

171 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links