Identity management and single sign-on in a heterogeneous composite service scenario
First Claim
1. A method performed by a first server device, the method comprising:
- receiving, by the first server device and from a second server device that hosts a third party application, a first request to verify an identity of a user of a user device associated with the third party application,the first request including a token containing identity information of the user and information regarding two or more service provider applications from which services are to be obtained by the third party application on behalf of the user;
determining, by the first server device, whether the identity information, of the user, matches stored identity information stored in a memory of the server device;
retrieving, by the first server device and from the memory, context information of the user device, when the identity information matches the stored identity information, the context information including location information, that identifies a first location of the user device during a prior session to verify the identity of the user;
comparing, by the first server device, a second location of the user device, at a present point in time, with the first location of the user device;
retrieving, by the first server device and from the memory, the identity information when the second location of the user device matches the first location of the user device; and
sending, by the first server device and to the second server device, the identity information, where the identity information includes login credentials, of the user, said login credentials permitting the third party application to access the two or more service provider applications on behalf of the user.
1 Assignment
0 Petitions
Accused Products
Abstract
A server device that includes a memory to store identity information for a group of users, policy information, and context information for a group user devices. The server device also includes a processor to receive, from another server device, a request for login credentials, associated with a user of a user device, that enable a third party application to access a service provider on behalf of the user, the request including identity information associated with the user and context information associated with the user device; verify the identity of the user based on a determination that particular identity information is stored in the memory; authorize the disclosure of the particular identity information based on a determination that the context information matches particular context information stored in the memory and that the policy information permits the disclosure of the particular identity information; and send the particular identity information, that includes the login credentials, to the other server device based on the verified identity and the authorized disclosure.
34 Citations
24 Claims
-
1. A method performed by a first server device, the method comprising:
-
receiving, by the first server device and from a second server device that hosts a third party application, a first request to verify an identity of a user of a user device associated with the third party application, the first request including a token containing identity information of the user and information regarding two or more service provider applications from which services are to be obtained by the third party application on behalf of the user; determining, by the first server device, whether the identity information, of the user, matches stored identity information stored in a memory of the server device; retrieving, by the first server device and from the memory, context information of the user device, when the identity information matches the stored identity information, the context information including location information, that identifies a first location of the user device during a prior session to verify the identity of the user; comparing, by the first server device, a second location of the user device, at a present point in time, with the first location of the user device; retrieving, by the first server device and from the memory, the identity information when the second location of the user device matches the first location of the user device; and sending, by the first server device and to the second server device, the identity information, where the identity information includes login credentials, of the user, said login credentials permitting the third party application to access the two or more service provider applications on behalf of the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A first server device, comprising:
-
a memory to store identity information for a plurality of users, policy information for the server device, and particular context information of a plurality of user devices, and a processor to execute instructions in the memory to; receive, from a second server device that hosts a third party application, a request to receive login credentials of a user of a user device, where the login credentials enable the third party application to access at least two service provider applications on behalf of the user, the request including a token containing identity information for the user and context information that includes capabilities of the user device, perform an identity verification operation to determine whether particular identity information, for the user, is stored in the memory, the particular identity information including the login credentials, perform an authorization operation to determine whether the context information, matches the particular context information stored in the memory or whether the policy information permits the disclosure of the particular identity information, and send the particular identity information to the second server device to be used by the third party application to access the two or more service provider applications, on behalf of the user, when the identity of the user is verified as a result of the identity verification operation and when the disclosure of the particular identity information is permitted as a result of the authorization operation. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system comprising:
a storage device to store; identity information of a user of a user device, the identity information including a plurality of identity entries of the user, and context information that identifies a location of the user device or capabilities of the user device at a prior point in time; and
a first server device to;receive, from a second server device that hosts a third party application, a first request to verify an identity of the user with which the third party application is associated, the first request including one or more identity entries, determine whether the one or more identity entries match at least one identity entry of the plurality of identity entries, retrieve, from the storage device, the plurality of identity entries when the one or more identity entries match the at least one identity entry, the plurality of identity entries including login credentials for at least one service provider application from which services are to be obtained by the third party application, retrieve, from the storage device, the context information when the one or more identity entries match the at least one identity entry, compare particular context information, associated with the user device at a present point in time, with the retrieved context information to determine whether the particular context information matches the retrieved context information, and send, to the second server device, the login credentials for the at least one service provider application when the particular context information matches the retrieved context information. - View Dependent Claims (20, 21, 22, 23, 24)
Specification