Identity providers in digital identity system

US 8,104,074 B2
Filed: 02/24/2006
Issued: 01/24/2012
Est. Priority Date: 02/24/2006
Status: Active Grant

First Claim

Patent Images

1. A digital identity system, the digital identity system comprisinga first computer, the first computer associated with a principal, the first computer comprising storage media that store computer readable instructions, execution of the computer readable instructions causing the first computer to:

store a first digital identity at the first computer, the first digital identity associated with the principal and a first identity provider, the first digital identity comprising a first XML document, the first XML document containing a first claim list, the first claim list specifying claims that the first identity provider is able to provide;

store a second digital identity at the first computer, the second digital identity associated with the principal and a second identity provider, the second digital identity comprising a second XML document, the second XML document containing a second claim list, the second claim list specifying claims that the second identity provider is able to provide;

after storing the first digital identity and the second digital identity at the first computer, send a request to a relying party;

receive a security policy from the relying party in response to the request, the security policy comprising a third XML document, the third XML document specifying a security token type required by the relying party and specifying required claims;

in response to receiving the security policy, automatically determine, based on a review of the claims specified by the first claim list and the second claim list, that the first claim list specifies each of the required claims;

after determining that the first claim list specifies each of the required claims, send a first token request to the first identity provider, the first token request requesting a first security token, the first token request indicating one or more of the required claims specified by the security policy;

receive the first security token from the first identity provider, the first security token including a third claim list, the third claim list including the one or more required claims specified by the security policy, the first security token being of the security token type specified by the security policy; and

forward the security token to the relying party.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A digital identity system includes a principal including an identity selector programmed to receive a security policy from a relying party, review a plurality of digital identities associated with the principal, and request one or more claims related to an identity of the principal from an identity provider. The principal is further programmed to receive one or more security tokens including the claims from the identity provider, and to forward the security tokens to the relying party.

152 Citations

16 Claims

1. A digital identity system, the digital identity system comprisinga first computer, the first computer associated with a principal, the first computer comprising storage media that store computer readable instructions, execution of the computer readable instructions causing the first computer to:
- store a first digital identity at the first computer, the first digital identity associated with the principal and a first identity provider, the first digital identity comprising a first XML document, the first XML document containing a first claim list, the first claim list specifying claims that the first identity provider is able to provide;
  
  store a second digital identity at the first computer, the second digital identity associated with the principal and a second identity provider, the second digital identity comprising a second XML document, the second XML document containing a second claim list, the second claim list specifying claims that the second identity provider is able to provide;
  
  after storing the first digital identity and the second digital identity at the first computer, send a request to a relying party;
  
  receive a security policy from the relying party in response to the request, the security policy comprising a third XML document, the third XML document specifying a security token type required by the relying party and specifying required claims;
  
  in response to receiving the security policy, automatically determine, based on a review of the claims specified by the first claim list and the second claim list, that the first claim list specifies each of the required claims;
  
  after determining that the first claim list specifies each of the required claims, send a first token request to the first identity provider, the first token request requesting a first security token, the first token request indicating one or more of the required claims specified by the security policy;
  
  receive the first security token from the first identity provider, the first security token including a third claim list, the third claim list including the one or more required claims specified by the security policy, the first security token being of the security token type specified by the security policy; and
  
  forward the security token to the relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The digital identity system of claim 1,wherein one or more of the claims in the security token are semantically altered relative to claims provided by the first identity provider.
  - 3. The digital identity system of claim 2, wherein the claims included in the first security token are semantically altered so that the claims in the first security token reveal less personal information about the principal than the claims provided by the first identity provider.
  - 4. The digital identity system of claim 2, wherein execution of the computer readable instructions further causes the first computer to:
    - send a second token request to the first identity provider, the second token request requesting a second security token; and
      
      receive the second security token, the second security token being of a different security token type.
  - 5. The digital identity system of claim 1, wherein the first computer receives the first security token from a second computer, the second computer associated with the identity provider.
  - 6. The digital identity system of claim 1, wherein the first security token includes a computational token and a display token, the computational token including the claims in the third claim list in an encrypted format, the display token including at least a summary of the claims in the third claim list, the summary in a format that can be reviewed by the principal.
  - 7. The digital identity system of claim 1,wherein the first digital identity includes an inline image that provides a graphical image for the digital identity that can be displayed in user interfaces, a friendly name for the digital identity, and a friendly name for the issuer of the digital identity;
    - andwherein execution of the computer readable instructions further cause the first computer to display the graphical image, the friendly name for the digital identity, and the friendly name for the issuer of the digital identity to the principle.
  - 8. The digital identity system of claim 1, wherein prior to storing the first digital identity and the second digital identity, execution of the computer readable instructions further causes the first computer to:
    - send a first digital identity request to the first identity provider;
      
      receive the first digital identity from the first identity provider in response to the first digital identity request;
      
      send a second digital identity request to the second identity provider; and
      
      receive the second digital identity from the second identity provider in response to the second digital identity request.

9. A method for providing a digital identity, the method comprising:
- sending, by a first computer, a digital identity to a second computer, the first computer associated with an identity provider, the second computer associated with a principal, the digital identity comprising a first XML document that contains a listing of claims that an identity provider is able to provide, the digital identity being an artifact that represents a token issuance relationship between the principal and the identity provider;
  
  after sending the digital identity to the second computer, receiving, by the first computer, a token request from the second computer, the token request requesting a security token, the token request comprising a second XML document, the second XML document specifying one or more of the claims indicated by the digital identity, the second XML document specifying a security token type;
  
  in response to receiving the token request, generating, by the first computer, claims specified by the second XML document;
  
  after generating the claims, transforming, by the first computer, the claims;
  
  after transforming the claims, generating, by the first computer, the security token, the security token including the claims specified by the second XML document, the security token being of the security token type specified by the second XML document; and
  
  sending, by the first computer, the security token to the second computer in response to the request.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein transforming the claims comprises altering, by the first computer, the claims included in the security token semantically.
  - 11. The method of claim 10, wherein altering the claims further comprises altering, by the first computer, the claims so that the claims reveal less personal information about the principal.
  - 12. The method of claim 9, wherein transforming the claims comprises formatting, by the first computer, the claims from one format into another format.
  - 13. The method of claim 9, further comprising:
    - sending, by the second computer, a request to a relying party for a security policy;
      
      receiving, by the second computer, the security policy from a third computer, the third computer associated with the relying party, the security policy comprising a third XML document, the third XML document specifying the security token type as being required by the relying party and specifying the one or more claims related to the identity of the principal;
      
      sending, by the second computer, the request for the claims to the first computer; and
      
      after receiving the security token from the first computer, forwarding, by the second computer, the security token to the third computer.
  - 14. The method of claim 13, further comprising:
    - receiving, by the second computer, a selection by the principal of a given digital identity of the principal from among a plurality of digital identities of the principal stored at the second computer, each digital identity in the plurality of digital identities comprising an XML document that represents a token issuance relationship between the principal and a particular identity provider; and
      
      selecting, by the second computer, the identity provider based on the given digital identity.
  - 15. The method of claim 9, wherein generating the security token further includes generating, by the first computer, the security token to include a computational token and a display token, the computational token including the claims in an encrypted format, the display token including at least a summary of the claims in a format that can be reviewed by the principal.

16. A non-transitory computer-readable storage medium comprising computer-executable instructions that, when executed by a first computer, cause the first computer to:
- send a digital identity to a principal, the digital identity comprising a first XML document, the first XML document containing;
  
  a listing of claims that an identity provider is able to provide,a globally unique identifier for the digital identity,a date and time when the digital identity was issued,a hint to be displayed to the principle to help provide a right credential,an unambiguous description of credential to use for authenticating to the identity provider,an inline image that provides a graphical image for the digital identity that can be displayed in user interfaces,a date and time after which the digital identity is expired,a friendly name for the digital identity, anda friendly name for the issuer of the digital identity, and a list of token types that the identity provider can issue;
  
  wherein the digital identity being an artifact that represents a token issuance relationship between the principal and the identity provider;
  
  after sending the digital identity to the principal, receive a token request from a second computer, the second computer associated with the principal, the token request requesting a security token, the token request comprising a second XML document, the second XML document specifying one or more requested claims, the requested claims related to an identity of the principal, the requested claims being among the claims in the listing of claims contained by the digital identity, the second XML document specifying a security token type;
  
  generate the requested claims in a first format;
  
  transform the requested claims such that the requested claims are formatted in a second format and such that the requested claims are altered semantically such that the requested claims reveal less personal information about the principal, the second format being a format required by the relying party, the second format being different from the first format;
  
  after transforming the requested claims into the second format, encrypt the requested claims;
  
  after encrypting the requested claims, generate the security token, the security token including a computational token and a display token, the computational token being of the security token type specified by the second XML document, the computational token including the requested claims, the display token including each of the requested claims in a format that can be reviewed by the principal, the display token cryptographically bound to the computational token; and
  
  send the security token to the second computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Cameron, Kim, Nanda, Arun K.
Primary Examiner(s)
Srivastava, Vivek
Assistant Examiner(s)
TRUONG, THONG P

Application Number

US11/361,281
Publication Number

US 20070204168A1
Time in Patent Office

2,160 Days
Field of Search

713/170, 709/229
US Class Current

726/5
CPC Class Codes

G06F 21/33 using certificates

G06F 2221/2115 Third party

Identity providers in digital identity system

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

152 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Identity providers in digital identity system

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

152 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links