Transforming claim based identities to credential based identities

US 8,296,828 B2
Filed: 12/16/2008
Issued: 10/23/2012
Est. Priority Date: 12/16/2008
Status: Active Grant

First Claim

Patent Images

1. A method to be executed at least in part in a computing device including a memory storing instructions and a processor executing an application in conjunction with the stored instructions for transforming a claim based identity to a credential based identity, the method comprising:

receiving at a secure store service residing on an application server a claim based identity via a security token issued by a trusted authority to a client entity at a front end server through a secure store service proxy residing at the front end server;

mapping a credential to the claim based identity;

validating the claim at the secure store service on the application server;

storing the credential in a secure manner in a Secure Store Database (SSD) associated with the secure store service;

encrypting on the application server the credential stored in the secure store database associated with the secure store service utilizing a master key generated and managed by a key manager;

synchronizing the master key to a new service instance at the key manager;

in response to receiving the security token for each request to access a resource associated with the secure store service, retrieving the credential from a secure store database;

employing a credential manager for decrypting the retrieved credential on the application server;

returning the decrypted credential to the client entity of the request for use in authorization of the client entity to an access controlled resource;

backing up and restoring the SSD at the key manager; and

enabling a user and an administrator to at least one from a set of;

create, read, and delete an application employing an application management API declared by an application manager.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Claim based identities are transformed to a set of credentials and securely stored in a secure data store using a number of encryption schemes. The credentials are then used to authenticate applications requiring specific credential types. For each call to the secure store system, a client application may provide a claims token issued by a trusted source, which is used to search for corresponding credentials in the secure data store if the credentials have been created previously for the user.

34 Citations

View as Search Results

18 Claims

1. A method to be executed at least in part in a computing device including a memory storing instructions and a processor executing an application in conjunction with the stored instructions for transforming a claim based identity to a credential based identity, the method comprising:
- receiving at a secure store service residing on an application server a claim based identity via a security token issued by a trusted authority to a client entity at a front end server through a secure store service proxy residing at the front end server;
  
  mapping a credential to the claim based identity;
  
  validating the claim at the secure store service on the application server;
  
  storing the credential in a secure manner in a Secure Store Database (SSD) associated with the secure store service;
  
  encrypting on the application server the credential stored in the secure store database associated with the secure store service utilizing a master key generated and managed by a key manager;
  
  synchronizing the master key to a new service instance at the key manager;
  
  in response to receiving the security token for each request to access a resource associated with the secure store service, retrieving the credential from a secure store database;
  
  employing a credential manager for decrypting the retrieved credential on the application server;
  
  returning the decrypted credential to the client entity of the request for use in authorization of the client entity to an access controlled resource;
  
  backing up and restoring the SSD at the key manager; and
  
  enabling a user and an administrator to at least one from a set of;
  
  create, read, and delete an application employing an application management API declared by an application manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein a trust between the trusted authority and the secure store service is established.
  - 3. The method of claim 1, wherein issuance of the security token is transparent to the user and handled by a collaborative service, wherein the collaborative service is a security token service (STS).
  - 4. The method of claim 3, further comprising:
    - employing Secure Socket Layer (SSL) protocol to secure the credential between the secure store service and the security token service.
  - 5. The method of claim 1, wherein the security token is a Security Assertions Markup Language (SAML) token.
  - 6. The method of claim 1, wherein the credential is created based on a Single Sign-On (SSO) claim based identity without relying on dependencies of underlying SSO architecture.
  - 7. The method of claim 1, wherein storing the credential based on the security token includes encrypting the credential stored in the secure store database associated with the secure store service employing the master key.
  - 8. The method of claim 7, further comprising:
    - synchronizing the master key to each new secure store service instance at the key manager; and
      
      synchronizing the master key to a change in a secure store service account associated with the user.
  - 9. The method of claim 7, wherein the master key is generated after the secure store service is provisioned.

10. A computer-readable memory device with instructions stored thereon for transforming a claim based identity to a credential based identity, the instructions comprising:
- receiving a claim at a Secure Token Service (STS);
  
  providing a security token upon authenticating the claim;
  
  receiving at a secure store service (SSS) residing on an application server a claim based identity via the security token issued by a trusted authority to a client entity at a front end server through a SSS proxy residing at the front end server, wherein the a trust relationship between the SSS and the STS has been established;
  
  authenticating the claim based identity;
  
  requesting a credential from a credential manager through the SSS proxy;
  
  retrieving the requested credential form the credential manager;
  
  upon receiving the credential request, validating the claim;
  
  mapping the credential to the claim based on the security token;
  
  encrypting the credential stored in the secure store database associated with the SSS using a master key generated and managed by a key manager and stored in a registry associated with the application server;
  
  synchronizing the master key to a new service instance at the key manager;
  
  modifying a master secret key at the key manager and storing the master secret key at the registry associated with the application server, wherein the master secret key includes the master key and the credential encrypted with a trusted source provided pass phrase;
  
  storing the encrypted credential in a secure manner in a Secure Store Database (SSD) associated with the SSS for use in authorization of subsequent requests for access by a user associated with the claim through providing the credential mapped to the claim;
  
  decrypting the encrypted credential at the credential manager;
  
  receiving the decrypted credential form the credential manager at the SSS;
  
  providing the decrypted credential from the SSS to the client entity through the SSS proxy;
  
  backing up and restoring the SSD by the key manager; and
  
  enabling one of the user and an administrator to at least one from a set of;
  
  create, read, and delete an application employing an application management API declared by an application manager.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-readable memory device of claim 10, wherein a plurality of credentials are mapped and stored based on the claim to provide to the user for authentication to a plurality of applications.
  - 12. The computer-readable memory device of claim 10, wherein the master key is further utilized to at least one of:
    - backing up and restoring the secure store database containing the credential.
  - 13. The computer-readable memory device of claim 10, wherein the pass phrase is provided by an SSS administrator and not stored within a system associated with the SSS.

14. A system for transforming a claim based identity to a credential based identity, the system comprising:
- a web server including a memory and a processor coupled to the memory, the processor configured to execute;
  
  a Security Token Service (STS) executed on a web server for receiving a request for a security token from a client application and providing the security token to the client application upon authentication of a user associated with the claim, wherein the security token is a Security Assertions Markup Language (SAML) token;
  
  a first Secure Store Service (SSS) proxy for handling requests from rich clients and web browser clients;
  
  a second SSS proxy for handling requests from web browser clients only;
  
  an application server including a memory and a processor coupled to the memory, the processor configured to execute a Secure Store Service (SSS) that includes;
  
  an SSS application for;
  
  validating the claim;
  
  authenticating the claim based identity;
  
  mapping credentials to the claim based on a received security token, wherein the credentials are created based on a Single Sign-On (SSO) claim based identity without relying on dependencies of underlying SSO architecture;
  
  in response to receiving a request for access to a resource, searching for stored credentials in a secure store database associated with the SSS corresponding to the security token associated with a user submitting the request and providing the stored credentials to the user through one of the first SSS proxy and second SSS proxy;
  
  a credential manager for;
  
  receiving and associating the credentials mapped to the claim with applications from the secure store database; and
  
  encrypting and decrypting the credentials stored in the secure store database and upon request by the SSS, sending the decrypted credentials to the SSS;
  
  a key manager for;
  
  encrypting the credentials for storing in the secure store database associated with the SSS using a master key;
  
  encrypting the master key using an administrator provided pass phrase as a master secret key, wherein the master secret key is stored along with the encrypted credentials in a registry associated with the application server;
  
  synchronizing the master key to a new service instance at the key manager;
  
  modifying the master secret key at the key manager and storing the master secret key at the registry associated with the application server;
  
  backing up and restoring the secure store database; and
  
  the secure store database for storing the encrypted credentials and the master key, wherein the secure store database is hosted on a database server and managed by the application server.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the credential manager is further configured to:
    - support ticketing for requests where a submitter of the requests and an authorized user associated with the request are distinct.
  - 16. The system of claim 14, wherein the SSS further includes:
    - an application manager for;
      
      enabling a user to at least one from a set of;
      
      create, read, and delete an application.
  - 17. The system of claim 14, wherein the SSS is part of a hosted service providing a plurality of resources to authorized users.
  - 18. The system of claim 17, wherein the plurality of resources includes at least one from a set of:
    - access to data, access to printing resources, access to storage resources, access to computation resources, and access to communication resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Dalzell, Javier, Varkey, Saji, Raj, Kaushik
Primary Examiner(s)
Colin, Carl
Assistant Examiner(s)
ZAIDI, SYED A

Application Number

US12/335,995
Publication Number

US 20100154041A1
Time in Patent Office

1,407 Days
Field of Search

726/6, 713/168, 713/200
US Class Current

726/6
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 2209/76   Proxy, i.e. using intermedi...

H04L 2209/80   Wireless network architectu...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3271   using challenge-response

Transforming claim based identities to credential based identities

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Transforming claim based identities to credential based identities

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links