Method of authenticating a client, identity and service providers, authentication and authentication assertion request signals and corresponding computer programs
First Claim
1. A method for authentication of a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity of said client and authorize said client to access said service, wherein the method comprises:
- at least one step of verifying by said identity provider that an identity level, among a plurality of different identify levels, issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value that represents an authorization of said client in a given context, and stored in hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; and
a step of issuing from said identity provider an authorization of access to said service for said client, said step being performed;
either directly following said verification step should the identity provider determine an identity level required for the access to said service is less restrictive than said stored identity level,or subsequently to the following steps by the identity provider should the identity provider determine the identity level required for the access to said service is more restrictive than said stored identity level or else should no authentication of the client be available;
request for authentication of said client meeting said required identity level,replacement of said identity level stored by said required identity level if said client is authenticated by said identity provider following the step of said authentication request.
1 Assignment
0 Petitions
Accused Products
Abstract
A method is provided of authenticating a client to access a service provided by a service provider, whereby the service provider queries an identity provider to verify identity of the client and authorize access the service. The method includes: verifying using the identity provider to verify that an identity level corresponding to an earlier authentication of the client is stored with the identity provider, and granting service access authorization to the client, which is performed either (i) directly following the verification step when the identity level required is less than the stored identity level, or (ii) after the following steps when the identity level required is greater than the stored identity level or when no client authentication is available, namely requesting authentication of the client having the required identity level and replacing the stored identity level with the required identity level if the client is authenticated by the identity provider.
13 Citations
9 Claims
-
1. A method for authentication of a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity of said client and authorize said client to access said service, wherein the method comprises:
-
at least one step of verifying by said identity provider that an identity level, among a plurality of different identify levels, issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value that represents an authorization of said client in a given context, and stored in hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; and a step of issuing from said identity provider an authorization of access to said service for said client, said step being performed; either directly following said verification step should the identity provider determine an identity level required for the access to said service is less restrictive than said stored identity level, or subsequently to the following steps by the identity provider should the identity provider determine the identity level required for the access to said service is more restrictive than said stored identity level or else should no authentication of the client be available; request for authentication of said client meeting said required identity level, replacement of said identity level stored by said required identity level if said client is authenticated by said identity provider following the step of said authentication request. - View Dependent Claims (2, 3)
-
-
4. A non-transitory computer readable medium containing a hierarchical structure stored therein for hierarchical organization of a plurality of identity levels of identities of at least one entity E from among a plurality of entities forming said structure, at least one of said identities forming said structure comprising at most one parent and n offspring, n being a natural integer, said identity level being a value which represents an authorization of a client associated with said entity E in a given context, and stored in said hierarchical structure, wherein:
-
said hierarchical structure defining links between various ones of the plurality of identity levels, said links representing membership of the entity E in the linked identity levels; at least one of said identities forming said structure comprises a single level of hierarchy of identities in said structure; said single level of hierarchy of identities of said n offspring of an identity I of said entity E is more restrictive than the single level of hierarchy of identities of said identity I, so that if a request for authentication of said entity E is transmitted by a service provider to an identity provider, the identity provider compares the required identity level included in said request for authentication received from said service provider with a last level of hierarchy of identities stored subsequently to a previous authentication of said entity E.
-
-
5. A device for authentication of a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity level, among a plurality of different identity levels, required to authorize said client to access said service, wherein the device comprises:
-
a verifier for verifying from said identity provider that an identity level issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value which represents an authorization of said client in a given context, and stored in a hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; a comparator, which compares said identity level required for access to said service with said stored identity level; an issuer for issuing an authorization of access to said service for said client, directly following the verification, by said verifier, that the identity level required for the access to said service is less restrictive than said stored identity level, a requester for requesting authentication of said client meeting said required identity level should the identity level required for the access to said service be more restrictive than said stored identity level or else should no authentication of the client be available, a replacer for replacing said identity level stored by said required identity level if said client is authenticated in response to the query made by said requester. - View Dependent Claims (6)
-
-
7. An authentication requesting device for a service provider to ask an identity provider for authentication of a client'"'"'s identity, in a form of an authorization of access, enabling said client to access a service of said service provider,
wherein the device comprises a processor configured for obtaining, from said identity provider, at least one piece of information representing an identity level, among a plurality of different identity levels, required for said service, said identity level being a value that represents an authorization of said client in a given context, and stored in a hierarchical structure in said identity provider, which defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels, and wherein said processor is also configured for obtaining, from said identity provider, an authorization of access to said service for said client.
-
9. A non-transitory computer readable medium containing a computer program stored therein for causing a computer processor to perform a method for authenticating a client wishing to access a service of a service provider, said service provider interrogating an identity provider to verify an identity of said client and authorize said client to access said service wherein the method comprises:
-
at least one step of verifying by said identity provider that an identity level, among a plurality of different identify levels, issued from at least one previous authentication of said client is stored within said identity provider, said identity level being a value which represents an authorization of said client in a given context, and stored in a hierarchical structure that defines links between various ones of the plurality of identity levels, said links representing membership of the client in the linked identity levels; and a step of issuing by said identity provider an authorization of access to said service for said client, said step being performed; either directly following said verification step should the identity provider determine an identity level required for the access to said service be lower is less restrictive than said stored identity level, or subsequently to the following steps by the identity provider should the identity provider determine the identity level required for the access to said service is more restrictive than said stored identity level or else should no authentication of the client be available; request for authentication of said client meeting said required identity level, replacement of said identity level stored by said required identity level if said client is authenticated by said identity provider following the step of said authentication request.
-
Specification