Application identity design

US 8,595,802 B2
Filed: 09/14/2012
Issued: 11/26/2013
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. An interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent applications and users having associated client machines, the interoperability network comprising one or more computing devices configured to:

receive a request for a first application to perform a particular task involving a second application on behalf of a first user, wherein the first and second applications are in communication with an interoperability network and are provided by least one service provider;

determine whether a first user has provided a first set of credentials that defines access information for the second application, the first set of credentials being included among a plurality of sets of credentials stored on one or more storage media accessible through the interoperability network;

determine whether the first application is authorized to act on behalf of the first user with respect to the second application with reference to one or more of a plurality of permissions stored on the one or more storage media; and

where the first user has provided the first set of credentials, and where the first application is authorized to act on behalf of the first user with respect to the second application, authorizing the first application to perform the particular task involving the second application on behalf of the first user.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

Citations

20 Claims

1. An interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent applications and users having associated client machines, the interoperability network comprising one or more computing devices configured to:
- receive a request for a first application to perform a particular task involving a second application on behalf of a first user, wherein the first and second applications are in communication with an interoperability network and are provided by least one service provider;
  
  determine whether a first user has provided a first set of credentials that defines access information for the second application, the first set of credentials being included among a plurality of sets of credentials stored on one or more storage media accessible through the interoperability network;
  
  determine whether the first application is authorized to act on behalf of the first user with respect to the second application with reference to one or more of a plurality of permissions stored on the one or more storage media; and
  
  where the first user has provided the first set of credentials, and where the first application is authorized to act on behalf of the first user with respect to the second application, authorizing the first application to perform the particular task involving the second application on behalf of the first user.
- View Dependent Claims (3, 4, 5, 6, 7, 8)
- - 3. The network of claim 1, wherein each of the plurality of sets of credentials is of a type that is specified by the respective application, and at least two of the plurality of sets of credentials correspond to different authentication protocols.
  - 4. The network. of claim 1, wherein determining whether the first application has been granted permission to act on behalf of the first user with respect to the second application comprises:
    - retrieving a first policy from a plurality of policies stored on the one or more storage media, the first policy defining first conditions under which the first application is authorized to act on behalf of the first user with respect to the second application; and
      
      determining whether the particular task complies with the first policy.
  - 5. The network of claim 1, wherein first set of credentials is stored in a first user'"'"'s credential storage area on the one or more storage media, the first user'"'"'s credential storage area storing a plurality of sets of credentials for the first user that each defines access information for the first user for one or more applications accessible via the interoperability network.
  - 6. The network of claim 1, wherein determining whether the first application is authorized to act on behalf of the first user with respect to the second application comprises determining whether the first application has been granted a read permission.
  - 7. The network of claim 1, wherein the first ser is either an individual user or an organization representing one or more users.
  - 8. The network of claim 1, wherein at least some of the independent applications communicate with the interoperability network via different access points on a public network.

2. The network of claim wherein each of the plurality of sets of credentials defines access information for a corresponding user for a corresponding application in communication with the interoperability network.

9. A method for facilitating communications via an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent applications and users having associated client machines, the method comprising:
- receiving a request for a first application to perform a particular task involving a second application on behalf of a first user, wherein the first and second applications are in communication with an interoperability network and are provided by at least one service provider;
  
  determining whether the first user has provided a first set of credentials that defines access information for the second application, the first set of credentials being included among a plurality of sets of credentials stored on one or more storage media accessible through the interoperability network;
  
  determining whether the first application is authorized to act on behalf of the first user with respect to the second application with reference to one or more of a plurality of permissions stored on the one or more storage media; and
  
  where the first user has provided the first set of credentials, and where the first application is authorized to act on behalf of the first user with respect to the second application, authorizing the first application to perform the particular task involving the second application on behalf of the first user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein each of the plurality of sets of credentials defines access information for a corresponding user for a corresponding application in communication with the interoperability network.
  - 11. The method of claim 9, wherein each of the plurality of sets of credentials is of a type that is specified by the respective application, and at least two of the plurality of sets of credentials correspond to different authentication protocols.
  - 12. The method of claim 9, wherein determining whether the first application has been granted permission to act on behalf of the first user with respect to the second application comprises:
    - retrieving a first policy from a plurality of policies stored on the one or more storage media, the first policy defining first conditions under which the first application is authorized to act on behalf of the first user with respect to second application; and
      
      determining whether the particular task complies with the first policy.
  - 13. The method of claim 9, wherein first set of credentials is stored in a first user'"'"'s credential storage area on the one or more storage media, the first user'"'"'s credential storage area storing a plurality of sets of credentials for the first user that each defines access information for the first user for one or more applications accessible via the interoperability network.
  - 14. The method of claim 9, wherein determining whether the first application is authorized to act on behalf of the first user with respect to the second application comprises determining whether the first application has been granted a read permission.
  - 15. The method of claim 9, wherein the first user is either an individual user or an organization representing one or more users.
  - 16. The method of claim 9, wherein at least some of the independent applications communicate with the interoperability network via different access points on a public network.

17. A non-transitory computer readable storage medium storing instructions for facilitating communications via an interoperability network configured to facilitate messaging and mediate policy differences among a plurality of independent applications and users having associated client machines, the instructions comprising:
- first instructions for receiving a request for a first application to perform a particular task involving a second application on behalf of a first user, wherein the first and second applications are in communication with an interoperability network and are provided by at least one service provider;
  
  second instructions for determining whether the first user has provided a first set of credentials that defines access information for the second application, the first set of credentials being included among a plurality of sets of credentials stored on one or more storage media accessible through the interoperability network;
  
  third instructions for determining whether the first application is authorized to act on behalf of the first user with respect to the second application with reference to one or more of a plurality of permissions stored on the one or more storage media; and
  
  fourth instructions for, where the first user has provided the first set of credentials, and where the first application is authorized to act on behalf of the first user with respect to the second application, authorizing the first application to perform the particular task involving the second application on behalf of the first user.
- View Dependent Claims (18, 19, 20)
- - 18. The computer readable medium of claim 17 wherein each of the plurality of sets of credentials defines access information for a corresponding user for a corresponding application in communication with the interoperability network.
  - 19. The computer readable medium of claim 17, wherein each of the plurality of sets of credentials is of a type that is specified by the respective application, and at least two of the plurality of sets of credentials correspond to different authentication protocols.
  - 20. The computer readable medium of claim 17, wherein determining whether the first application has been granted permission to act on behalf of the first user with respect to the second application comprises:
    - retrieving a first policy from a plurality of policies stored on the one or more storage media, the first policy defining first conditions under which the first application is authorized to act on behalf of the first user with respect to the second application; and
      
      determining whether the particular task complies with the first policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Boulos, Thomas Nabiel, Behera, Prasanta Kumar
Primary Examiner(s)
McNally, Michael S

Application Number

US13/620,174
Publication Number

US 20130014230A1
Time in Patent Office

438 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Application identity design

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Application identity design

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links