Method of authenticating a client, identity and service providers, authentication and authentication assertion request signals and corresponding computer programs

US 8,205,247 B2
Filed: 10/04/2006
Issued: 06/19/2012
Est. Priority Date: 10/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method for authentication of a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity of said client and authorize said client to access said service, wherein the method comprises:

at least one step of verifying by said identity provider that an identity level, among a plurality of different identify levels, issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value that represents an authorization of said client in a given context, and stored in hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; and

a step of issuing from said identity provider an authorization of access to said service for said client, said step being performed;

either directly following said verification step should the identity provider determine an identity level required for the access to said service is less restrictive than said stored identity level,or subsequently to the following steps by the identity provider should the identity provider determine the identity level required for the access to said service is more restrictive than said stored identity level or else should no authentication of the client be available;

request for authentication of said client meeting said required identity level,replacement of said identity level stored by said required identity level if said client is authenticated by said identity provider following the step of said authentication request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided of authenticating a client to access a service provided by a service provider, whereby the service provider queries an identity provider to verify identity of the client and authorize access the service. The method includes: verifying using the identity provider to verify that an identity level corresponding to an earlier authentication of the client is stored with the identity provider, and granting service access authorization to the client, which is performed either (i) directly following the verification step when the identity level required is less than the stored identity level, or (ii) after the following steps when the identity level required is greater than the stored identity level or when no client authentication is available, namely requesting authentication of the client having the required identity level and replacing the stored identity level with the required identity level if the client is authenticated by the identity provider.

13 Citations

View as Search Results

9 Claims

1. A method for authentication of a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity of said client and authorize said client to access said service, wherein the method comprises:
- at least one step of verifying by said identity provider that an identity level, among a plurality of different identify levels, issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value that represents an authorization of said client in a given context, and stored in hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; and
  
  a step of issuing from said identity provider an authorization of access to said service for said client, said step being performed;
  
  either directly following said verification step should the identity provider determine an identity level required for the access to said service is less restrictive than said stored identity level,or subsequently to the following steps by the identity provider should the identity provider determine the identity level required for the access to said service is more restrictive than said stored identity level or else should no authentication of the client be available;
  
  request for authentication of said client meeting said required identity level,replacement of said identity level stored by said required identity level if said client is authenticated by said identity provider following the step of said authentication request.
- View Dependent Claims (2, 3)
- - 2. The method for the authentication of a client wishing to access a service of a service provider according to claim 1, wherein said authorization of access to said service issued for said client takes a form of an assertion of authentication transmitted by said identity provider to said service provider, said assertion comprising an indication of a last of said previous identity level stored by said identity provider.
  - 3. The method for the authentication of a client wishing to access a service of a service provider according to of claim 1, wherein said identity level required by said service provider for access to a given predefined service is inserted by said service provider into its query requesting authentication of a client transmitted to said identity provider.

4. A non-transitory computer readable medium containing a hierarchical structure stored therein for hierarchical organization of a plurality of identity levels of identities of at least one entity E from among a plurality of entities forming said structure, at least one of said identities forming said structure comprising at most one parent and n offspring, n being a natural integer, said identity level being a value which represents an authorization of a client associated with said entity E in a given context, and stored in said hierarchical structure, wherein:
- said hierarchical structure defining links between various ones of the plurality of identity levels, said links representing membership of the entity E in the linked identity levels;
  
  at least one of said identities forming said structure comprises a single level of hierarchy of identities in said structure;
  
  said single level of hierarchy of identities of said n offspring of an identity I of said entity E is more restrictive than the single level of hierarchy of identities of said identity I, so that if a request for authentication of said entity E is transmitted by a service provider to an identity provider, the identity provider compares the required identity level included in said request for authentication received from said service provider with a last level of hierarchy of identities stored subsequently to a previous authentication of said entity E.

5. A device for authentication of a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity level, among a plurality of different identity levels, required to authorize said client to access said service, wherein the device comprises:
- a verifier for verifying from said identity provider that an identity level issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value which represents an authorization of said client in a given context, and stored in a hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels;
  
  a comparator, which compares said identity level required for access to said service with said stored identity level;
  
  an issuer for issuing an authorization of access to said service for said client, directly following the verification, by said verifier, that the identity level required for the access to said service is less restrictive than said stored identity level,a requester for requesting authentication of said client meeting said required identity level should the identity level required for the access to said service be more restrictive than said stored identity level or else should no authentication of the client be available,a replacer for replacing said identity level stored by said required identity level if said client is authenticated in response to the query made by said requester.
- View Dependent Claims (6)
- - 6. An identity provider, which implements a device for authentication according to claim 5.

7. An authentication requesting device for a service provider to ask an identity provider for authentication of a client'"'"'s identity, in a form of an authorization of access, enabling said client to access a service of said service provider,wherein the device comprises a processor configured for obtaining, from said identity provider, at least one piece of information representing an identity level, among a plurality of different identity levels, required for said service, said identity level being a value that represents an authorization of said client in a given context, and stored in a hierarchical structure in said identity provider, which defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels, and wherein said processor is also configured for obtaining, from said identity provider, an authorization of access to said service for said client.
- View Dependent Claims (8)
- - 8. An identity provider, which implements an authentication requesting device according to claim 7.

9. A non-transitory computer readable medium containing a computer program stored therein for causing a computer processor to perform a method for authenticating a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity of said client and authorize said client to access said service wherein the method comprises:
- at least one step of verifying by said identity provider that an identity level, among a plurality of different identify levels, issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value which represents an authorization of said client in a given context, and stored in a hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; and
  
  a step of issuing by said identity provider an authorization of access to said service for said client, said step being performed;
  
  either directly following said verification step should the identity provider determine an identity level required for the access to said service be lower is less restrictive than said stored identity level,or subsequently to the following steps by the identity provider should the identity provider determine the identity level required for the access to said service is more restrictive than said stored identity level or else should no authentication of the client be available;
  
  request for authentication of said client meeting said required identity level,replacement of said identity level stored by said required identity level if said client is authenticated by said identity provider following the step of said authentication request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Orange S.A.
Original Assignee
Orange S.A.
Inventors
Lexcellent, Eric, Gourmelen, Gaël, Gordon, Ariel
Primary Examiner(s)
HOFFMAN, BRANDON S

Application Number

US12/088,925
Publication Number

US 20090210930A1
Time in Patent Office

2,085 Days
Field of Search

None
US Class Current

726/4
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

H04L 63/105 Multiple levels of security

Method of authenticating a client, identity and service providers, authentication and authentication assertion request signals and corresponding computer programs

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method of authenticating a client, identity and service providers, authentication and authentication assertion request signals and corresponding computer programs

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links