Relying party specifiable format for assertion provider token

US 8,555,078 B2
Filed: 02/29/2008
Issued: 10/08/2013
Est. Priority Date: 02/29/2008
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a client computer comprising one or more processors;

the client computer further comprising a memory coupled to one or more processors, wherein the memory stores program instructions executable by the one or more processors to implement a security component associated with a network-enabled application, wherein said security component is configured to;

receive authentication policy information at runtime on the client computer, the authentication policy information received from a remote computer of a relying party, the authentication policy information specifying that an assertion token is to be signed by the client computer prior to the client computer forwarding that assertion token to the relying party;

send authentication credentials from the client computer to a remote computer of an assertion provider to authenticate a user of the client computer to the relying party;

receive an assertion token from a remote computer of the assertion provider, wherein the assertion token indicates the user of the client computer has been authenticated;

sign the assertion token on the client computer as specified in the authentication policy information received at runtime;

forward the signed assertion token from the client computer to a remote computer of the relying party;

determine whether the relying party is reputable;

enable display of an indication associated with whether the relying party is reputable; and

enable display of a region embedded within a user interface associated with the client computer, the user interface configured to display an image associated with the relying party, wherein an appearance associated with said embedded region is customizable for each relying party of a plurality of relying parties.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security component may be associated with a network-enabled application. The network-enabled application may request access to restricted content from a relying party (e.g., web site). The security component associated with the network-enabled application may receive authentication policy information from the relying party and send a user'"'"'s authentication credentials to an assertion provider to authenticate the credentials. The relying party may trust the assertion provider to authenticate user credentials. Upon successful authentication, the assertion provider may return an assertion token to the security component and the security component may sign the assertion token as specified in the authentication policy information. Subsequently, the security token may forward the signed assertion token to the relying party and the relying party may grant access to the restricted content.

Citations

21 Claims

1. A system, comprising:
- a client computer comprising one or more processors;
  
  the client computer further comprising a memory coupled to one or more processors, wherein the memory stores program instructions executable by the one or more processors to implement a security component associated with a network-enabled application, wherein said security component is configured to;
  
  receive authentication policy information at runtime on the client computer, the authentication policy information received from a remote computer of a relying party, the authentication policy information specifying that an assertion token is to be signed by the client computer prior to the client computer forwarding that assertion token to the relying party;
  
  send authentication credentials from the client computer to a remote computer of an assertion provider to authenticate a user of the client computer to the relying party;
  
  receive an assertion token from a remote computer of the assertion provider, wherein the assertion token indicates the user of the client computer has been authenticated;
  
  sign the assertion token on the client computer as specified in the authentication policy information received at runtime;
  
  forward the signed assertion token from the client computer to a remote computer of the relying party;
  
  determine whether the relying party is reputable;
  
  enable display of an indication associated with whether the relying party is reputable; and
  
  enable display of a region embedded within a user interface associated with the client computer, the user interface configured to display an image associated with the relying party, wherein an appearance associated with said embedded region is customizable for each relying party of a plurality of relying parties.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The system as recited in claim 1, wherein the security component is configured to sign the assertion token in a manner as specified in the authentication policy information from the relying party so that the signed assertion token is only valid for a single use.
  - 3. The system as recited in claim 2, wherein the signed assertion token includes a nonce as specified in the authentication policy information from the relying party.
  - 4. The system as recited in claim 1, wherein the security component is configured to sign the assertion token using a key received from the assertion provider.
  - 5. The system as recited in claim 1, wherein the security component is configured to provide a user interface for the user to select the assertion provider.
  - 6. The system as recited in claim 5, wherein the security component is further configured to access information indicating assertion providers with whom the user is registered, wherein the authentication policy information from the relying party comprises filter information usable by the security component to determine which of the indicated assertion providers to present to the user via the user interface for selection by the user.
  - 7. The system as recited in claim 1, wherein the network-enabled application comprises a web browser.

8. A computer implemented method, comprising:
- a client-side security component on a client computer receiving authentication policy information at runtime on the client computer, the authentication policy information received from a remote computer of a relying party, the authentication policy information specifying that an assertion token is to be signed by the client computer prior to the client computer forwarding that assertion token to the relying part;
  
  the client-side security component sending authentication credentials from the client computer to a remote computer of an assertion provider to authenticate a user of the client computer to the relying party;
  
  the client-side security component receiving an assertion token from a remote computer of the assertion provider, wherein the assertion token indicates the user of the client computer has been authenticated;
  
  the client-side security component signing the assertion token on the client computer as specified in the authentication policy information received at runtime, wherein the client-side security component is further configured to sign the assertion token using a key received from the assertion provider;
  
  the client-side security component forwarding the signed assertion token from the client computer to a remote computer of the relying party;
  
  the client-side security component enabling display of a region embedded within a user interface associated with the client computer, the user interface configured to display an image associated with the relying party, wherein an appearance associated with said embedded region is customizable for each relying party of a plurality of relying parties.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method as recited in claim 8, further comprising the client-side security component signing the assertion token in a manner as specified in the authentication policy information from the relying party so that the signed assertion token is only valid for a single use.
  - 10. The method as recited in claim 9, wherein the signed assertion token includes a nonce as specified in the authentication policy information from the relying party.
  - 11. The method as recited in claim 8, further comprising the client-side security component providing a user interface for the user to select the assertion provider.
  - 12. The method as recited in claim 11, further comprising the client-side security component accessing information indicating assertion providers with whom the user is registered, wherein the authentication policy information from the relying party comprises filter information usable by the client-side security component for determining which of the indicated assertion providers to present to the user via the user interface for selection by the user.
  - 13. The computer implemented method as recited in claim 8, wherein forwarding the signed assertion token to a remote computer of the relying party further comprises forwarding the signed assertion token as a query parameter.
  - 14. The computer implemented method as recited in claim 8, wherein the authentication policy information further comprises at least one Uniform Resource Identifier (URL) associated with an acceptable assertion provider to obtain the assertion token from.

15. Computer-accessible storage memory storing computer-executable program instructions on a client computer to implement a security component associated with a network-enabled application, wherein the security component is configured to:
- receive authentication policy information at runtime on the client computer, the authentication policy information received from a remote computer of a relying party, the authentication policy information specifying that an assertion token is to be signed by the client computer prior to the client computer forwarding that assertion token to the relying party;
  
  provide a user interface for a user to select an assertion provider;
  
  send authentication credentials from the client computer to a remote computer of a selected assertion provider to authenticate the user of the client computer to the relying party;
  
  receive an assertion token from a remote computer of the assertion provider, wherein the assertion token indicates the user of the client computer has been authenticated;
  
  sign the assertion token on the client computer as specified in the authentication policy information received at runtime;
  
  forward the signed assertion token from the client computer to a remote computer of the relying party; and
  
  enable display of a region embedded within a user interface associated with the client computer, the user interface configured to display an image associated with the relying party, wherein an appearance associated with said embedded region is customizable for each relying party of a plurality of relying parties.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-accessible storage memory as recited in claim 15, wherein the security component is configured to sign the assertion token in a manner as specified in the authentication policy information from the relying party so that the signed assertion token is only valid for a single use.
  - 17. The computer-accessible storage memory as recited in claim 16, wherein the signed assertion token includes a nonce as specified in the authentication policy information from the relying party.
  - 18. The computer-accessible storage memory as recited in claim 15, wherein the security component is configured to sign the assertion token using a key received from the assertion provider.
  - 19. The computer-accessible storage memory as recited in claim 15, wherein the security component is further configured to access information indicating assertion providers with whom the user is registered, wherein the authentication policy information from the relying party comprises filter information usable by the security component to determine which of the indicated assertion providers to present to the user via the user interface for selection by the user.
  - 20. The computer-accessible storage memory as recited in claim 15, wherein the security component is further configured to:
    - determine whether the relying party is reputable; and
      
      enable display of an indication associated with whether the relying party is reputable in said embedded region.
  - 21. The computer-accessible storage memory as recited in claim 20, wherein to enable display an indication further comprises:
    - display of relying party information responsive to determining the relying party is reputable in said embedded region; and
      
      display of a different image than relying party information responsive to determining the relying party is not reputable in said embedded region.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Adobe Inc.
Original Assignee
Adobe Systems Incorporated (Adobe Inc.)
Inventors
Pravetz, James D., Steele, Joseph D., Agrawal, Sunil
Primary Examiner(s)
Patel, Ashokkumar
Assistant Examiner(s)
Desrosiers, Evans

Application Number

US12/040,445
Publication Number

US 20130125197A1
Time in Patent Office

2,048 Days
Field of Search

713168-174, 713182-186, 713/202, 709/225, 709/229, 726 2- 8
US Class Current

713/185
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0838   using one-time-passwords

Relying party specifiable format for assertion provider token

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Relying party specifiable format for assertion provider token

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links