Methods and system for storing and retrieving identity mapping information

US 8,555,075 B2
Filed: 09/20/2007
Issued: 10/08/2013
Est. Priority Date: 10/17/2006
Status: Active Grant

First Claim

Patent Images

1. A method for retrieving identity mapping information from a trusted identity management system for enabling a user authenticated at a first domain to access a second domain, the method comprising:

utilizing a computer system to perform;

retrieving, by an application, user-signed identity mapping information for the user, wherein the identity mapping information was digitally signed by the user using a private key of the user, and where the identity mapping information has further been digitally signed by the identity management system using a private key of the identity management system, wherein the identity management system is trusted by at least the first domain, wherein the identity mapping information comprises a mapping of the user'"'"'s user identification (ID) in the first domain to the user'"'"'s user ID in the second domain, and wherein the user ID in the first domain is different from the user ID in the second domain;

validating, by the application, the digital signature of the identity management system using a public key of the identity management system; and

validating, by the application, the digital signature of the user using a public key of the user;

wherein after said validating the digital signature of the identity management system and said validating the digital signature of the user, the user can be authenticated to access the second domain, and wherein either the user or any authorized party can revoke authentication of the identity mapping information for the user, wherein control of the user'"'"'s identity mapping information is shared between the user and the identity management system; and

wherein the method is operable regardless of whether the first and second domains have a trusted or untrusted relationship.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and method for storing identity mapping information in an identity management system to enable a user authenticated at a first domain to access a second domain. The method may include digitally signing the identity mapping information by the user; providing the mapping information to an identity management system; and storing the user-signed mapping information after being further digitally signed by the identity management system.

Citations

8 Claims

1. A method for retrieving identity mapping information from a trusted identity management system for enabling a user authenticated at a first domain to access a second domain, the method comprising:
- utilizing a computer system to perform;
  
  retrieving, by an application, user-signed identity mapping information for the user, wherein the identity mapping information was digitally signed by the user using a private key of the user, and where the identity mapping information has further been digitally signed by the identity management system using a private key of the identity management system, wherein the identity management system is trusted by at least the first domain, wherein the identity mapping information comprises a mapping of the user'"'"'s user identification (ID) in the first domain to the user'"'"'s user ID in the second domain, and wherein the user ID in the first domain is different from the user ID in the second domain;
  
  validating, by the application, the digital signature of the identity management system using a public key of the identity management system; and
  
  validating, by the application, the digital signature of the user using a public key of the user;
  
  wherein after said validating the digital signature of the identity management system and said validating the digital signature of the user, the user can be authenticated to access the second domain, and wherein either the user or any authorized party can revoke authentication of the identity mapping information for the user, wherein control of the user'"'"'s identity mapping information is shared between the user and the identity management system; and
  
  wherein the method is operable regardless of whether the first and second domains have a trusted or untrusted relationship.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, wherein said validating the digital signature of the user comprises using a certificate of the user comprising the public key of the user.
  - 3. The method of claim 1, wherein the user certificate is obtained from a trust center.
  - 4. The method of claim 1, wherein said retrieving further comprises retrieving a password, wherein the password is required to access the second domain and is encrypted by an encryption key comprising at least a first part encrypted by a public key of the user and a second part encrypted by a public key obtained from a trust center, wherein the method further comprises:
    - sending the first encrypted part of the encryption key to the user for decryption with his private key;
      
      sending the second encrypted part to the trust center for decryption; and
      
      decrypting the password with the encryption key assembled from the decrypted first and second part.

5. A non-transitory computer accessible memory medium comprising program instructions for retrieving identity mapping information from an identity management system for enabling a user authenticated at a first domain to access a second domain, wherein the program instructions are executable by a processor to:
- retrieve, by an application, user-signed identity mapping information for the user, wherein the identity mapping information was digitally signed by the user using a private key of the user, and where the identity mapping information has further been digitally signed by the identity management system using a private key of the identity management system, wherein the identity management system is trusted by at least the first domain, wherein the identity mapping information comprises a mapping of the user'"'"'s user identification (ID) in the first domain to the user'"'"'s user ID in the second domain, and wherein the user ID in the first domain is different from the user ID in the second domain;
  
  validate, by the application, the digital signature of the identity management system using a public key of the identity management system; and
  
  validate, by the application, the digital signature of the user using a public key of the user;
  
  wherein after said validating the digital signature of the identity management system and said validating the digital signature of the user, the user may be authenticated to access the second domain, and wherein either the user or any other authorized party can revoke authentication of the identity mapping information for the user, wherein control of the user'"'"'s identity mapping information is shared between the user and the identity management system; and
  
  wherein the method is operable regardless of whether the first and second domains have a trusted or untrusted relationship.
- View Dependent Claims (6, 7, 8)
- - 6. The non-transitory computer accessible memory medium of claim 5, wherein said validating the digital signature of the user comprises using a certificate of the user comprising the public key of the user.
  - 7. The non-transitory computer accessible memory medium of claim 6, wherein the user certificate is obtained from a trust center.
  - 8. The non-transitory computer accessible memory medium of claim 5, wherein said retrieving further comprises retrieving a password, wherein the password is required to access the second domain and is encrypted by an encryption key comprising at least a first part encrypted by a public key of the user and a second part encrypted by a public key obtained from a trust center, and wherein the program instructions are further executable to:
    - send the first encrypted part of the encryption key to the user for decryption with his private key;
      
      send the second encrypted part to the trust center for decryption; and
      
      decrypt the password with the encryption key assembled from the decrypted first and second part.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Software AG
Original Assignee
Software AG
Inventors
Kessler, Dieter
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
LEE, JASON T

Application Number

US11/858,211
Publication Number

US 20080089520A1
Time in Patent Office

2,210 Days
Field of Search

713/182, 726/6, 380/277
US Class Current

713/182
CPC Class Codes

H04L 63/0815 providing single-sign-on or...

Methods and system for storing and retrieving identity mapping information

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and system for storing and retrieving identity mapping information

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links