Flexible authentication for online services with unreliable identity providers
First Claim
1. A computer-implemented method for authenticating a user to access one or more online services, the method comprising:
- receiving a request from a user to login to use an online service provided by a relying party;
in response to the received login request, attempting to perform federated authentication by communicating with an identity provider that can authenticate the user for the relying party; and
upon determining that federated authentication failed due to unavailability of the identity provider,accessing user information stored by the relying party that includes at least one contact address for the user;
generating a temporary token or challenge that correlates with;
(1) duration information and (2) data associated with the user'"'"'s identity; and
sending the generated temporary token to the user using the at least one contact address,wherein the preceding steps are performed by at least one processor.
2 Assignments
0 Petitions
Accused Products
Abstract
A flexible authentication system is described herein that fluidly switches between a federated authentication model and a local short-lived token model that does not require sophisticated authentication infrastructure at the relying party site. Upon detecting an event that causes the identity provider to be unavailable for authentication, the relying party switches to a temporary token model. The system generates a bearer token or challenge associated with the user'"'"'s identity and (optionally) associated with time data that limits the period during which the token is valid. The relying party communicates the short-lived token to the user using contact information associated with the user and already stored by the relying party. Upon receiving the short-lived token, the user provides the short-lived token to the relying party, and the relying party processes the token to validate the user'"'"'s identity and then allows the user to access the relying party'"'"'s online services.
74 Citations
20 Claims
-
1. A computer-implemented method for authenticating a user to access one or more online services, the method comprising:
-
receiving a request from a user to login to use an online service provided by a relying party; in response to the received login request, attempting to perform federated authentication by communicating with an identity provider that can authenticate the user for the relying party; and upon determining that federated authentication failed due to unavailability of the identity provider, accessing user information stored by the relying party that includes at least one contact address for the user; generating a temporary token or challenge that correlates with;
(1) duration information and (2) data associated with the user'"'"'s identity; andsending the generated temporary token to the user using the at least one contact address, wherein the preceding steps are performed by at least one processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A flexible authentication system for authenticating a user in the event of an unreliable identity provider, the system comprising:
-
a processor and memory configured to execute software instructions embodied within the following components; a user login component that receives requests to authenticate at least one user to use one or more online services provided by a relying party; an outage detection component that detects an event that causes an identity provider that provides authentication services to the relying party to be unavailable for handling one or more received authentication requests; a federated authentication component that sends to an identity provider authentication requests on behalf of the relying party that offloads authentication handling to the identity provider and receives an authentication response that verifies the at least one user'"'"'s digital identity; a token generation component that generates a temporary token that validates the at least one user'"'"'s digital identity, has a limited lifetime, and allows the at least one user in possession of the temporary token to access one or more online services of the relying party without authenticating with an identity provider and without the relying party storing local security credentials on behalf of the at least one user; a token communication component that accesses information about a contact point associated with the at least one user and communicates the generated temporary token to at least one contact point based on the accessed information; a token receiving component that receives a request from the at least one user to access an online service of the relying party, wherein the request includes the temporary token previously generated and communicated to the at least one user at the one or more contact points; a token validation component that validates the temporary token that was received by determining the user identity associated with the token and verifying that the token is being used during the token'"'"'s valid lifetime; and a user access component that provides the at least one user access to the online services of the relying party based on the temporary token having been received and validated. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A computer-readable storage device comprising instructions for controlling a computer system to authenticate a user to access a service while an identity provider for the user is unavailable, wherein the instructions, upon execution, cause a processor to perform actions comprising:
-
receiving a temporary token from the user, the temporary token previously issued by a relying party operating an online service that normally relies upon a third-party identity provider to provide authentication services; determining that the third-party identity provider for the user is unavailable; retrieving user identity information from the received temporary token that identifies a user profile stored by the relying party that is associated with the user providing the temporary token; determining that the temporary token is a token validly issued by the relying party; determining a valid lifetime of the received temporary token and that the temporary token is not expired; and when the temporary token is not expired, allowing the user to access the online service based on the user'"'"'s access rights and the user'"'"'s authenticated identity verified by the user'"'"'s possession of the temporary token and without the relying party separately storing security credentials for the user.
-
Specification