Policy-based auditing of identity credential disclosure by a secure token service

US 8,370,913 B2
Filed: 08/22/2007
Issued: 02/05/2013
Est. Priority Date: 03/16/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a machine (135) operative as an identity provider;

a receiver (705) to receive a request for a security token (160), said request for said security token (160) including a security policy (150) and identifying at least one datum (715, 720) to be included in said security token (160);

a transmitter (710) to transmit said security token (160) responsive to said request, said security token (160) responsive to said security policy (150);

at least one audit policy (725) associated with said datum (715, 720) including a trigger (730) based on said security token (160) and an audit action (735); and

an audit operator (740) operative to perform said audit action (735) if said trigger (730) occurs.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user defines an audit policy. The audit policy identifies one or more triggers that, when related information is included in a security token, trigger the performance of the audit. The audit can include notifying the user in some manner that the trigger occurred. The audit can require in-line confirmation of the audit, so that the security token is not transmitted until the user confirms the audit.

180 Citations

24 Claims

1. An apparatus, comprising:
- a machine (135) operative as an identity provider;
  
  a receiver (705) to receive a request for a security token (160), said request for said security token (160) including a security policy (150) and identifying at least one datum (715, 720) to be included in said security token (160);
  
  a transmitter (710) to transmit said security token (160) responsive to said request, said security token (160) responsive to said security policy (150);
  
  at least one audit policy (725) associated with said datum (715, 720) including a trigger (730) based on said security token (160) and an audit action (735); and
  
  an audit operator (740) operative to perform said audit action (735) if said trigger (730) occurs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. An apparatus according to claim 1, wherein said audit action (735) includes at least one of an e-mail message (810) to send to a user, an SMS message (805) to send to said user, a log responsive to said audit policy, and an RSS feed responsive to said audit policy.
  - 3. An apparatus according to claim 1, wherein said audit action (735) includes at least one of a first message (810) relating to said security token (160) to send to a user and a second message (810) identifying a client (105) requesting said security token (160) to send to said user.
  - 4. An apparatus according to claim 3, wherein said audit action (735) further includes a third message (810) including details of a transaction (815) involving said security token (160) to send to said user.
  - 5. An apparatus according to claim 4, wherein said details of a transaction (815) include an identity of a relying party (130) receiving said security token (160).
  - 6. An apparatus according to claim 1, wherein the receiver (705) is operative to receive the audit policy (725) from a user.
  - 7. An apparatus according to claim 1, wherein the transmitter (710) is operative to transmit said security token (160) responsive to a user approving said audit action (735).
  - 8. An apparatus according to claim 1, wherein the machine (135) includes the receiver (705), the transmitter (710), the at least one audit policy (725), and the audit operator (740).

9. A method for triggering an audit, comprising:
- receiving (1410) at an identity provider (135) a request for a security token (160), the request including a security policy (150) and identifying at least one datum (715, 720);
  
  accessing (1415) an audit policy (710) associated with the datum (715, 720);
  
  identifying (1420) a trigger (730) associated with the security token (160);
  
  performing (1425) an audit action (735) responsive to the identified trigger (730); and
  
  transmitting (1450) from the identity provider (135) the security token (160) responsive to the received security policy (150).
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. A method according to claim 9, wherein:
    - performing (1425) an audit action (735) includes performing at least one of sending an e-mail (810) to a user, sending an SMS message (805) to the user, logging information generated from the security token, and an RSS feed generated from the security token.
  - 11. A method according to claim 9, wherein performing (1425) an audit action (735) includes informing a user (810) about at least one of the contents of the security token (160) and an identity of a client (105) requesting the security token (160).
  - 12. A method according to claim 11, wherein performing (1425) an audit action (735) further includes informing the user about details of a transaction (815) involving the security token (160).
  - 13. A method according to claim 12, wherein informing the user about details of a transaction (815) includes identifying a relying party (130) receiving the security token (160).
  - 14. A method according to claim 9, further comprising receiving (130) the audit policy (725) from a user, the audit policy (725) identifying the trigger (730) and the audit action (735).
  - 15. A method according to claim 9, wherein:
    - performing (1425) an audit action (735) includes requesting (1435) a user to approve the transmission of the security token (160); and
      
      transmitting (1450) a security token (160) includes transmitting (1450) the security token (160) only if the user approves (1440) the transmission of the security token (160).
  - 16. A method according to claim 15, wherein transmitting (1450) the security token (160) includes denying (1445) a transaction (815) if the user does not approve the transmission of the security token (160).

17. An article, comprising a non-transitory storage medium, said non-transitory storage medium having stored thereon instructions that, when executed by a machine, result in:
- receiving (1410) a request for a security token (160), the request including a security policy (150) and identifying at least one datum (715, 720);
  
  accessing (1415) an audit policy (710) associated with the datum (715, 720);
  
  identifying (1420) a trigger (730) associated with the security token (160);
  
  performing (1425) an audit action (735) responsive to the identified trigger (730); and
  
  transmitting (1450) the security token (160) responsive to the received security policy (150).
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. An article according to claim 17, wherein:
    - performing (1425) an audit action (735) includes performing at least one of sending an e-mail (810) to a user, sending an SMS message (805) to the user, logging information generated from the security token, and an RSS feed generated from the security token.
  - 19. An article according to claim 17, wherein performing (1425) an audit action (735) includes informing a user (810) about at least one of the contents of the security token (160) and an identity of a client (105) requesting the security token (160).
  - 20. An article according to claim 19, wherein performing (1425) an audit action (735) further includes informing the user about details of a transaction (815) involving the security token (160).
  - 21. An article according to claim 20, wherein informing the user about details of a transaction (815) includes identifying a relying party (130) receiving the security token (160).
  - 22. An article according to claim 17, wherein said non-transitory storage medium has stored thereon further instructions that, when executed by the machine, result in receiving (130) the audit policy (725) from a user, the audit policy (725) identifying the trigger (730) and the audit action (735).
  - 23. An article according to claim 17, wherein:
    - performing (1425) an audit action (735) includes requesting (1435) a user to approve the transmission of the security token (160); and
      
      transmitting (1450) a security token (160) includes transmitting (1450) the security token (160) only if the user approves (1440) the transmission of the security token (160).
  - 24. An article according to claim 23, wherein transmitting (1450) the security token (160) includes denying (1445) a transaction (815) if the user does not approve the transmission of the security token (160).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Apple Inc.
Inventors
Hodgkinson, Andrew A., Buss, Duane F., Doman, Thomas E., Felsted, Patrick R., Sermersheim, James G.
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US11/843,638
Publication Number

US 20080229384A1
Time in Patent Office

1,994 Days
Field of Search

None
US Class Current

726/9
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06Q 20/10   specially adapted for elect...

G06Q 20/367   involving electronic purses...

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

Policy-based auditing of identity credential disclosure by a secure token service

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

180 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Policy-based auditing of identity credential disclosure by a secure token service

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

180 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links