Federated realm discovery

US 8,544,074 B2
Filed: 06/19/2008
Issued: 09/24/2013
Est. Priority Date: 06/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user;

automatically transmitting a request for authentication to a home security authority of the user, the request including the system security token, the home security authority of the user associated with a first realm, and the user having an account with the first realm;

receiving a partner security token in response to transmitting the request for authentication;

submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation;

receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority; and

accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A federated realm discovery system within a federation determines a “home” realm associated with a portion of the user'"'"'s credentials before the user'"'"'s secret information (such as a password) is passed to a non-home realm. A login user interface accepts a user identifier and, based on the user identifier, can use various methods to identify an account authority service within the federation that can authenticate the user. In one method, a realm list of the user device can be used to direct the login to the appropriate home realm of the user. In another method, an account authority service in a non-home realm can look up the user'"'"'s home realm and provide realm information directing the user device to login at the home realm.

29 Citations

View as Search Results

20 Claims

1. A method comprising:
- obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user;
  
  automatically transmitting a request for authentication to a home security authority of the user, the request including the system security token, the home security authority of the user associated with a first realm, and the user having an account with the first realm;
  
  receiving a partner security token in response to transmitting the request for authentication;
  
  submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation;
  
  receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority; and
  
  accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising identifying the home security authority based on at least a portion of the identifier of the user received in the domain-joined credentials.
  - 3. The method of claim 2 wherein the identifying further comprises identifying the home security authority of the user in a local realm list datastore using the at least a portion of the identifier of the user.
  - 4. The method of claim 2 wherein the identifying further comprises:
    - submitting the at least a portion of the identifier of the user to a security authority of the enterprise network;
      
      receiving from the security authority of the enterprise network realm information identifying the home security authority of the user from a realm list datastore accessible to the user of the enterprise network.
  - 5. The method of claim 1 further comprising authenticating the user with a security authority of the enterprise network using the domain-joined credentials prior to receiving the partner security token.
  - 6. The method of claim 1 further comprising presenting to the user an enterprise network login user interface.
  - 7. The method of claim 1 further comprising:
    - storing the partner security token in a user device used to access the enterprise network responsive to receiving the partner security token.

8. A computer-readable storage memory device having computer-executable instructions for performing a method comprising:
- obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user;
  
  identifying a home security authority of the user based on at least a portion of the identifier of the user, the home security authority of the user associated with a first realm, and the user having an account with the first realm;
  
  automatically transmitting a request for authentication to the home security authority of the user, the request including the system security token;
  
  receiving a partner security token in response to transmitting the request for authentication;
  
  submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation;
  
  receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority, and the home security authority and the non-home security authority being members of a federation; and
  
  accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer-readable storage memory device of claim 8 wherein the obtaining further comprise signing into the enterprise network through an enterprise network login user interface using the domain-joined credentials.
  - 10. The computer-readable storage memory device of claim 8 wherein the identifying further comprises identifying the home security authority of the user in a local realm list datastore using the at least a portion of the identifier of the user.
  - 11. The computer-readable storage memory device of claim 8 wherein the identifying further comprises:
    - submitting the at least a portion of the identifier of the user to a security authority of the enterprise network; and
      
      receiving from the security authority of the enterprise network realm information identifying the home security authority of the user from a realm list datastore accessible to the user of the enterprise network.
  - 12. The computer-readable storage memory device of claim 8 wherein the method further comprises authenticating the user with a security authority of the enterprise network using the domain-joined credentials prior to receiving the partner security token.
  - 13. The computer-readable storage memory device of claim 8 wherein the method further comprises presenting to the user an enterprise network login user interface.
  - 14. The computer-readable storage memory device of claim 8 wherein the method further comprises storing the partner security token in a user device used to access the enterprise network responsive to receiving the partner security token.

15. A computing device comprising:
- a processor; and
  
  a computer-readable storage medium having computer-executable instructions that, when executed by the processor, perform a method comprising;
  
  obtaining a system security token for a user when the user signs in to an enterprise network using domain-joined credentials, the domain-joined credentials including an identifier of the user;
  
  automatically transmitting a request for authentication to a home security authority of the user, the request including the system security token, the home security authority of the user associated with a first realm, and the user having an account with the first realm;
  
  receiving a partner security token in response to transmitting the request for authentication;
  
  submitting the partner security token to a non-home security authority associated with a network service responsive to the user navigating to the network service, the non-home security authority and the network service associated with a second realm, and the user not having an account with the second realm, the first realm and the second realm being members of a federation;
  
  receiving from the non-home security authority a security token for accessing the network service, the user having an account with the home security authority but not with the non-home security authority; and
  
  accessing the network service using the security token received from the non-home security authority and without presenting a login user interface of the non-home security authority or the home security authority to the user.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The computing device of claim 15 wherein the method further comprises identifying the home security authority based on at least a portion of the identifier of the user received in the domain-joined credentials.
  - 17. The computing device of claim 16 wherein the identifying further comprises identifying the home security authority of the user in a local realm list datastore using the at least a portion of the identifier of the user.
  - 18. The computing device of claim 16 wherein the identifying further comprises:
    - submitting the at least a portion of the identifier of the user to a security authority of the enterprise network;
      
      receiving from the security authority of the enterprise network realm information identifying the home security authority of the user from a realm list datastore accessible to the user of the enterprise network.
  - 19. The computing device of claim 15 wherein the method further comprises authenticating the user with a security authority of the enterprise network using the domain-joined credentials prior to receiving the partner security token.
  - 20. The computing device of claim 15 wherein the method further comprises presenting to the user an enterprise network login user interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Guo, Wei-Qiang, Ayres, Lynn, Chen, Rui, Faulkner, Sarah, Rouskov, Yordan
Primary Examiner(s)
EDWARDS, LINGLAN E

Application Number

US12/141,940
Publication Number

US 20090320116A1
Time in Patent Office

1,923 Days
Field of Search

726 2- 9, 709217-219, 709/225
US Class Current

726/9
CPC Class Codes

G06F 16/951   Indexing; Web crawling tech...

G06F 21/41   where a single sign-on prov...

G06F 21/606   by securing the transmissio...

G06F 21/6209   to a single file or object,...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0853   using an additional device,...

H04L 63/101   Access control lists [ACL]

H04L 9/3234   involving additional secure...

Federated realm discovery

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

29 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Federated realm discovery

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

29 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links