System and method for trusted embedded user interface for authentication

US 8,220,035 B1
Filed: 02/29/2008
Issued: 07/10/2012
Est. Priority Date: 02/29/2008
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

one or more processors;

a memory coupled to one or more processors, wherein the memory stores program instructions executable by the one or more processors to implement a security component associated with a network-enabled application, wherein said security component is configured to;

initiate display of an embedded region of a window drawn by the network-enabled application,wherein the window is drawn according to display information received from a relying party,wherein the display information from the relying party indicates an area where the embedded region is to be drawn,wherein at least part of the appearance of the embedded region of the window is defined by said security component and not by the relying party, andwherein the embedded region is an integral part within the window drawn by the network-enabled application;

determine authentication credentials for a user;

send the authentication credentials to an assertion provider to authenticate the user to the relying party.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security component may be associated with a network-enabled application. The security component may initiate the display of an embedded region of a window drawn according to display information received from a relying party. The security component may define at least a portion of the appearance of the embedded region; the relying party may not define this portion. The embedded region may include customization information configured by a user, and “Card” information received from an assertion provider, indicating how to authenticate user credentials in order to gain access to relying party restricted content. The security component may request authentication of user credentials from the assertion provider, which may be trusted by the relying party. The security component may receive an assertion token from the assertion provider indicating the credentials are authentic. The security component may forward the assertion token to the relying party to gain access to the restricted content.

Citations

54 Claims

1. A system, comprising:
- one or more processors;
  
  a memory coupled to one or more processors, wherein the memory stores program instructions executable by the one or more processors to implement a security component associated with a network-enabled application, wherein said security component is configured to;
  
  initiate display of an embedded region of a window drawn by the network-enabled application,wherein the window is drawn according to display information received from a relying party,wherein the display information from the relying party indicates an area where the embedded region is to be drawn,wherein at least part of the appearance of the embedded region of the window is defined by said security component and not by the relying party, andwherein the embedded region is an integral part within the window drawn by the network-enabled application;
  
  determine authentication credentials for a user;
  
  send the authentication credentials to an assertion provider to authenticate the user to the relying party.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The system as recited in claim 1, wherein said embedded region of said window provides a user interface for receiving information from the user to determine the authentication credentials.
  - 3. The system as recited in claim 1, wherein the security component is further configured to:
    - receive an assertion token from the assertion provider, wherein the assertion token authenticates the user;
      
      forward the assertion token to the relying party.
  - 4. The system as recited in claim 3, wherein the security component is further configured to digitally sign the assertion token prior to forwarding the assertion token to the relying party.
  - 5. The system as recited in claim 1, wherein the relying party and the assertion provider are controlled by the same entity.
  - 6. The system as recited in claim 1, wherein to define the appearance of the embedded region of the window, the security component is configured to access customization information specified by the user.
  - 7. The system as recited in claim 6, wherein the customization information specifies a customized appearance of at least part of the embedded region including one or more of a customized icon, background, or border.
  - 8. The system as recited in claim 7, wherein the security component is configured to apply the customized appearance to the embedded region consistently for different relying parties.
  - 9. The system as recited in claim 6, wherein the customization information is not accessible by the relying party.
  - 10. The system as recited in claim 6, wherein the customization information specified by the user is encrypted to be not accessible by the relying party.
  - 11. The system as recited in claim 1, wherein the security component is configured to determine, according to filter information received from the relying party, one or more cards associated with the relying party for display within the embedded region.
  - 12. The system as recited in claim 11, wherein each card specifies at least a portion of the information required to authenticate the user.
  - 13. The system as recited in claim 11, wherein to determine the one or more cards, the security component is configured to access a secure store comprising card information for a plurality of assertion providers.
  - 14. The system as recited in claim 13, wherein the secure store further comprises customization information specifying a customized appearance of at least part of said user interface.
  - 15. The system as recited in claim 14, wherein the card information and the customization information are encrypted.
  - 16. The system as recited in claim 1, wherein the security component is further configured to:
    - send a request to a reputation service requesting reputation information for the relying party;
      
      receive a response from the reputation service; and
      
      display an indication of the relying party'"'"'s reputation in the embedded region.
  - 17. The system as recited in claim 1, wherein the security component is further configured to:
    - detect said embedded region has been obscured on the user'"'"'s display, and subsequent to said detecting, display a warning.
  - 18. The system as recited in claim 1, wherein said security component is configured to initiate the display of the embedded region in response an invocation request from the replying party.

19. A computer-implemented method, comprising:
- a client-side security component initiating the display of an embedded region of a window drawn by a network-enabled application,wherein the window is drawn according to display information received from a relying party,wherein the display information from the relying party indicates an area where the embedded region is to be drawn,wherein at least part of the appearance of the embedded region of the window is defined by the client-side security component and not by the relying party, andwherein the embedded region is an integral part within the window drawn by the network-enabled application;
  
  the client-side security component determining authentication credentials for a user;
  
  client-side security component sending the authentication credentials to an assertion provider to authenticate the user to the relying party.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 20. The method as recited in claim 19, further comprising the client-side security component providing within said embedded region a user interface for receiving information from the user to determine the authentication credentials.
  - 21. The method as recited in claim 19, further comprising:
    - the client-side security receiving an assertion token from the assertion provider, wherein the assertion token authenticates the user;
      
      the client-side security forwarding the assertion token to the relying party.
  - 22. The method as recited in claim 21, further comprising the client-side security component digitally signing the assertion token prior to forwarding the assertion token to the relying party.
  - 23. The method as recited in claim 19, wherein the relying party and the assertion provider are controlled by the same entity.
  - 24. The method as recited in claim 19, further comprising the client-side security component access customization information specified by the user to define the appearance of the embedded region of the window.
  - 25. The method as recited in claim 24, wherein the customization information specifies a customized appearance of at least part of the embedded region including one or more of a customized icon, background, or border.
  - 26. The method as recited in claim 25, further comprising the client-side security component applying the customized appearance to the embedded region consistently for different relying parties.
  - 27. The method as recited in claim 24, wherein the customization information specified by the user is not accessible by the relying party.
  - 28. The method as recited in claim 24, wherein the customization information specified by the user is encrypted to be not accessible by the relying party.
  - 29. The method as recited in claim 19, further comprising the client-side security component determining, according to filter information received from the relying party, one or more cards associated with the relying party for display within the embedded region.
  - 30. The method as recited in claim 28, wherein each card specifies at least a portion of the information required to authenticate the user.
  - 31. The method as recited in claim 30, wherein said determining comprises the security component accessing a secure store comprising card information for a plurality of assertion providers.
  - 32. The method as recited in claim 30, wherein the secure store further comprises customization information specifying a customized appearance of at least part of said user interface.
  - 33. The method as recited in claim 30, further comprising encrypting the card information and the customization information in the secure store.
  - 34. The method as recited in claim 19, further comprising the client-side security component:
    - sending a request to a reputation service requesting reputation information for the relying party;
      
      receiving a response from the reputation service; and
      
      displaying an indication of the relying party'"'"'s reputation in the embedded region.
  - 35. The method as recited in claim 19, further comprising the client-side security component:
    - detecting said embedded region has been obscured on the user'"'"'s display, and subsequent to said detecting, displaying a warning.
  - 36. The method as recited in claim 19, further comprising receiving an invocation request from the replying party, wherein the client-side security component initiating the display of the embedded region is performed in response to the invocation request.

37. A non-transitory computer-accessible storage medium storing program instructions computer-executable to implement a security component associated with a network-enabled application, wherein said security component is configured to:
- initiate display of an embedded region of a window drawn by the network-enabled application,wherein the window is drawn according to display information received from a relying party,wherein the display information from the relying party indicates an area where the embedded region is to be drawn,wherein at least part of the appearance of the embedded region of the window is defined by said component and not by the relying party, andwherein the embedded region is an integral part within the window drawn by the network-enabled application;
  
  determine authentication credentials for a user;
  
  send the authentication credentials to an assertion provider to authenticate the user to the relying party.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54)
- - 38. The non-transitory computer-accessible storage medium as recited in claim 37, wherein said embedded region of said window provides a user interface for receiving information from the user to determine the authentication credentials.
  - 39. The non-transitory computer-accessible storage medium as recited in claim 37, wherein the security component is further configured to:
    - receive an assertion token from the assertion provider, wherein the assertion token authenticates the user;
      
      forward the assertion token to the relying party.
  - 40. The non-transitory computer-accessible storage medium as recited in claim 39, wherein the security component is further configured to digitally sign the assertion token prior to forwarding the assertion token to the relying party.
  - 41. The non-transitory computer-accessible storage medium as recited in claim 39, wherein the relying party and the assertion provider are controlled by the same entity.
  - 42. The non-transitory computer-accessible storage medium as recited in claim 37, wherein to define the appearance of the embedded region of the window, the security component is configured to access customization information specified by the user.
  - 43. The non-transitory computer-accessible storage medium as recited in claim 42, wherein the customization information specifies a customized appearance of at least part of said embedded region including one or more of a customized icon, background, or border.
  - 44. The non-transitory computer-accessible storage medium as recited in claim 41, wherein the security component is configured to apply the customized appearance to said embedded region consistently for different relying parties.
  - 45. The non-transitory computer-accessible storage medium as recited in claim 42, wherein the customization information specified by the user is not accessible by the relying party.
  - 46. The non-transitory computer-accessible storage medium as recited in claim 42, wherein the customization information specified by the user is encrypted to be not accessible by the relying party.
  - 47. The non-transitory computer-accessible storage medium as recited in claim 37, wherein the security component is configured to determine, according to filter information received from the relying party, one or more cards associated with the relying party for display within said embedded region.
  - 48. The non-transitory computer-accessible storage medium as recited in claim 47, wherein each card specifies at least a portion of the information required to authenticate the user.
  - 49. The non-transitory computer-accessible storage medium as recited in claim 47, wherein to determine the one or more cards, the security component is configured to access a secure store comprising card information for a plurality of assertion providers.
  - 50. The non-transitory computer-accessible storage medium as recited in claim 49, wherein the secure store further comprises customization information specifying a customized appearance of at least part of said user interface.
  - 51. The non-transitory computer-accessible storage medium as recited in claim 50, wherein the card information and the customization information are encrypted.
  - 52. The non-transitory computer-accessible storage medium as recited in claim 37, wherein the security component is further configured to:
    - send a request to a reputation service requesting reputation information for the relying party;
      
      receive a response from the reputation service; and
      
      display an indication of the relying party'"'"'s reputation in the embedded region.
  - 53. The non-transitory computer-accessible storage medium as recited in claim 37, wherein the security component is further configured to:
    - detect said embedded region has been obscured on the user'"'"'s display, and subsequent to said detecting, display a warning.
  - 54. The non-transitory computer-accessible storage medium as recited in claim 37, wherein said security component is configured to initiate the display of the embedded region in response to an invocation request from the replying party.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Pravetz, James D., Steele, Joseph D., Agrawal, Sunil
Primary Examiner(s)
Zee, Edward

Application Number

US12/040,440
Time in Patent Office

1,593 Days
Field of Search

726/4, 726/5, 726/25, 715/749
US Class Current

726/5
CPC Class Codes

G06F 21/34   involving the use of extern...

H04L 63/1483   service impersonation, e.g....

H04L 67/02   based on web technology, e....

System and method for trusted embedded user interface for authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for trusted embedded user interface for authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links