Identity providers in digital identity system
First Claim
1. A digital identity system, the digital identity system comprisinga first computer, the first computer associated with a principal, the first computer comprising storage media that store computer readable instructions, execution of the computer readable instructions causing the first computer to:
- store a first digital identity at the first computer, the first digital identity associated with the principal and a first identity provider, the first digital identity comprising a first XML document, the first XML document containing a first claim list, the first claim list specifying claims that the first identity provider is able to provide;
store a second digital identity at the first computer, the second digital identity associated with the principal and a second identity provider, the second digital identity comprising a second XML document, the second XML document containing a second claim list, the second claim list specifying claims that the second identity provider is able to provide;
after storing the first digital identity and the second digital identity at the first computer, send a request to a relying party;
receive a security policy from the relying party in response to the request, the security policy comprising a third XML document, the third XML document specifying a security token type required by the relying party and specifying required claims;
in response to receiving the security policy, automatically determine, based on a review of the claims specified by the first claim list and the second claim list, that the first claim list specifies each of the required claims;
after determining that the first claim list specifies each of the required claims, send a first token request to the first identity provider, the first token request requesting a first security token, the first token request indicating one or more of the required claims specified by the security policy;
receive the first security token from the first identity provider, the first security token including a third claim list, the third claim list including the one or more required claims specified by the security policy, the first security token being of the security token type specified by the security policy; and
forward the security token to the relying party.
2 Assignments
0 Petitions
Accused Products
Abstract
A digital identity system includes a principal including an identity selector programmed to receive a security policy from a relying party, review a plurality of digital identities associated with the principal, and request one or more claims related to an identity of the principal from an identity provider. The principal is further programmed to receive one or more security tokens including the claims from the identity provider, and to forward the security tokens to the relying party.
152 Citations
16 Claims
-
1. A digital identity system, the digital identity system comprising
a first computer, the first computer associated with a principal, the first computer comprising storage media that store computer readable instructions, execution of the computer readable instructions causing the first computer to: -
store a first digital identity at the first computer, the first digital identity associated with the principal and a first identity provider, the first digital identity comprising a first XML document, the first XML document containing a first claim list, the first claim list specifying claims that the first identity provider is able to provide; store a second digital identity at the first computer, the second digital identity associated with the principal and a second identity provider, the second digital identity comprising a second XML document, the second XML document containing a second claim list, the second claim list specifying claims that the second identity provider is able to provide; after storing the first digital identity and the second digital identity at the first computer, send a request to a relying party; receive a security policy from the relying party in response to the request, the security policy comprising a third XML document, the third XML document specifying a security token type required by the relying party and specifying required claims; in response to receiving the security policy, automatically determine, based on a review of the claims specified by the first claim list and the second claim list, that the first claim list specifies each of the required claims; after determining that the first claim list specifies each of the required claims, send a first token request to the first identity provider, the first token request requesting a first security token, the first token request indicating one or more of the required claims specified by the security policy; receive the first security token from the first identity provider, the first security token including a third claim list, the third claim list including the one or more required claims specified by the security policy, the first security token being of the security token type specified by the security policy; and forward the security token to the relying party. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for providing a digital identity, the method comprising:
-
sending, by a first computer, a digital identity to a second computer, the first computer associated with an identity provider, the second computer associated with a principal, the digital identity comprising a first XML document that contains a listing of claims that an identity provider is able to provide, the digital identity being an artifact that represents a token issuance relationship between the principal and the identity provider; after sending the digital identity to the second computer, receiving, by the first computer, a token request from the second computer, the token request requesting a security token, the token request comprising a second XML document, the second XML document specifying one or more of the claims indicated by the digital identity, the second XML document specifying a security token type; in response to receiving the token request, generating, by the first computer, claims specified by the second XML document; after generating the claims, transforming, by the first computer, the claims; after transforming the claims, generating, by the first computer, the security token, the security token including the claims specified by the second XML document, the security token being of the security token type specified by the second XML document; and sending, by the first computer, the security token to the second computer in response to the request. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A non-transitory computer-readable storage medium comprising computer-executable instructions that, when executed by a first computer, cause the first computer to:
-
send a digital identity to a principal, the digital identity comprising a first XML document, the first XML document containing; a listing of claims that an identity provider is able to provide, a globally unique identifier for the digital identity, a date and time when the digital identity was issued, a hint to be displayed to the principle to help provide a right credential, an unambiguous description of credential to use for authenticating to the identity provider, an inline image that provides a graphical image for the digital identity that can be displayed in user interfaces, a date and time after which the digital identity is expired, a friendly name for the digital identity, and a friendly name for the issuer of the digital identity, and a list of token types that the identity provider can issue; wherein the digital identity being an artifact that represents a token issuance relationship between the principal and the identity provider; after sending the digital identity to the principal, receive a token request from a second computer, the second computer associated with the principal, the token request requesting a security token, the token request comprising a second XML document, the second XML document specifying one or more requested claims, the requested claims related to an identity of the principal, the requested claims being among the claims in the listing of claims contained by the digital identity, the second XML document specifying a security token type; generate the requested claims in a first format; transform the requested claims such that the requested claims are formatted in a second format and such that the requested claims are altered semantically such that the requested claims reveal less personal information about the principal, the second format being a format required by the relying party, the second format being different from the first format; after transforming the requested claims into the second format, encrypt the requested claims; after encrypting the requested claims, generate the security token, the security token including a computational token and a display token, the computational token being of the security token type specified by the second XML document, the computational token including the requested claims, the display token including each of the requested claims in a format that can be reviewed by the principal, the display token cryptographically bound to the computational token; and send the security token to the second computer.
-
Specification