Federated realm discovery
First Claim
1. A method comprising:
- obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user;
automatically transmitting a request for authentication to a home security authority of the user, the request including the system security token, the home security authority of the user associated with a first realm, and the user having an account with the first realm;
receiving a partner security token in response to transmitting the request for authentication;
submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation;
receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority; and
accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user.
2 Assignments
0 Petitions
Accused Products
Abstract
A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user'"'"'s credentials before the user'"'"'s secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user'"'"'s home realm and provide realm information directing the user device to login at the home realm.
29 Citations
20 Claims
-
1. A method comprising:
-
obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user; automatically transmitting a request for authentication to a home security authority of the user, the request including the system security token, the home security authority of the user associated with a first realm, and the user having an account with the first realm; receiving a partner security token in response to transmitting the request for authentication; submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation; receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority; and accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-readable storage memory device having computer-executable instructions for performing a method comprising:
-
obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user; identifying a home security authority of the user based on at least a portion of the identifier of the user, the home security authority of the user associated with a first realm, and the user having an account with the first realm; automatically transmitting a request for authentication to the home security authority of the user, the request including the system security token; receiving a partner security token in response to transmitting the request for authentication; submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation; receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority, and the home security authority and the non-home security authority being members of a federation; and accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A computing device comprising:
-
a processor; and a computer-readable storage medium having computer-executable instructions that, when executed by the processor, perform a method comprising; obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user; automatically transmitting a request for authentication to a home security authority of the user, the request including the system security token, the home security authority of the user associated with a first realm, and the user having an account with the first realm; receiving a partner security token in response to transmitting the request for authentication; submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation; receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority; and accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification