Application identity design

US 8,707,412 B2
Filed: 12/22/2011
Issued: 04/22/2014
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. An interoperability network configured to assist a first service acting on behalf of a first user to obtain authorized access to and task performance by a second service, wherein the first and second service operate on service-associated machines, are separate from each other, and are coupled in communication with the interoperability network, the interoperability network comprising one or more computing devices configured to:

receive a request for the first service to perform a particular task, fulfillment of which requires authorized access to and task performance by the second service;

determine that the first service is authorized to act on behalf of the first user in obtaining authorized access to and task performance by the second service;

retrieve from an electronic storage repository, which stores a plurality of sets of credentials usable by the first user and by a plurality of other users, access information that enables the first user to obtain authorized access to and task performance by the second service; and

provide at least part of the access information to the second service to obtain authorized access to and task performance by the second service.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

Citations

20 Claims

1. An interoperability network configured to assist a first service acting on behalf of a first user to obtain authorized access to and task performance by a second service, wherein the first and second service operate on service-associated machines, are separate from each other, and are coupled in communication with the interoperability network, the interoperability network comprising one or more computing devices configured to:
- receive a request for the first service to perform a particular task, fulfillment of which requires authorized access to and task performance by the second service;
  
  determine that the first service is authorized to act on behalf of the first user in obtaining authorized access to and task performance by the second service;
  
  retrieve from an electronic storage repository, which stores a plurality of sets of credentials usable by the first user and by a plurality of other users, access information that enables the first user to obtain authorized access to and task performance by the second service; and
  
  provide at least part of the access information to the second service to obtain authorized access to and task performance by the second service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The interoperability network of claim 1, wherein each of the plurality of sets of credentials defines access information that enables a corresponding user to obtain authorized access to and task performance by a corresponding service.
  - 3. The interoperability network of claim 1, wherein each of the plurality of sets of credentials is of a type that is specified by a respective service, and at least two of the plurality of sets of credentials correspond to different authentication protocols.
  - 4. The interoperability network of claim 1, wherein verifying that the first service is authorized to act on behalf of the first user with respect to the second service comprises:
    - retrieving a first policy from a plurality of policies stored on one or more storage media, the first policy defining first conditions under which the first service is enabled to act on behalf of the first user with respect to the second service; and
      
      determining that the particular task complies with the first policy.
  - 5. The interoperability network of claim 4, wherein:
    - the first policy further defines one or more or more security requirements governing use of a first set of credentials that includes the access information, andproviding the access information from the first set of credentials to the second service comprises transmitting the access information in compliance with the security requirements defined by the first policy.
  - 6. The interoperability network of claim 1, wherein the access information specifies a message translation required for access to the second service and the computing devices are configured to translate the request by applying the message translation prior to providing the at least part of the access information to the second service.
  - 7. The interoperability network of claim 1, wherein each of the credentials specify permissions for one or more services to read and use the access information.
  - 8. The interoperability network of claim 1, wherein the first user is either an individual user or an organization representing one or more users.

9. A method of facilitating, via an interoperability network, authorized access to and task performance by a second service for a first service acting on behalf of a first user, wherein the first and second service operate on service-associated machines, are separate from each other, and are coupled in communication with the interoperability network, the interoperability network the method comprising:
- receiving a request for the first service to perform a particular task, fulfillment of which requires authorized access to and task performance by the second service;
  
  determining that the first service is authorized to act on behalf of the first user in obtaining authorized access to and task performance by the second service;
  
  retrieving from an electronic storage repository, which stores a plurality of sets of credentials usable by the first user and by a plurality of other users, access information that enables the first user to obtain authorized access to and task performance by the second service; and
  
  providing at least part of the access information to the second service to obtain authorized access to and task performance by the second service.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, wherein each of the plurality of sets of credentials defines access information that enables a corresponding user to obtain authorized access to and task performance by a corresponding service.
  - 11. The method of claim 9, wherein verifying that the first service is authorized to act on behalf of the first user with respect to the second service comprises:
    - retrieving a first policy from a plurality of policies stored on one or more storage media, the first policy defining first conditions under which the first service is enabled to act on behalf of the first user with respect to the second service; and
      
      determining that the particular task complies with the first policy.
  - 12. The method of claim 11, wherein:
    - the first policy further defines one or more or more security requirements governing use of a first set of credentials that includes the access information, andproviding the access information from the first set of credentials to the second service comprises transmitting the access information in compliance with the security requirements defined by the first policy.
  - 13. The method of claim 9, wherein the access information specifies a message translation required for access to the second service and the computing devices are configured to translate the request by applying the message translation prior to providing the at least part of the access information to the second service.
  - 14. The method of claim 9, wherein each of the credentials specify permissions for one or more services to read and use the access information.
  - 15. The method of claim 9, wherein the first user is either an individual user or an organization representing one or more users.

16. A non-transitory computer readable storage medium storing instructions for facilitating, via an interoperability network, authorized access to and task performance by a second service for a first service acting on behalf of a first user, wherein the first and second service operate on service-associated machines, are separate from each other, and are coupled in communication with the interoperability network, the instructions comprising:
- first instructions to receive a request for the first service to perform a particular task, fulfillment of which requires authorized access to and task performance by the second service;
  
  second instructions to determine that the first service is authorized to act on behalf of the first user in obtaining authorized access to and task performance by the second service;
  
  third instructions to retrieve from an electronic storage repository, which stores a plurality of sets of credentials usable by the first user and by a plurality of other users, access information that enables the first user to obtain authorized access to and task performance by the second service; and
  
  fourth instructions to provide at least part of the access information to the second service to obtain authorized access to and task performance by the second service.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer readable medium of claim 16, wherein each of the plurality of sets of credentials defines access information that enables a corresponding user to obtain authorized access to and task performance by a corresponding service.
  - 18. The computer readable medium of claim 16, wherein verifying that the first service is authorized to act on behalf of the first user with respect to the second service comprises:
    - retrieving a first policy from a plurality of policies stored on one or more storage media, the first policy defining first conditions under which the first service is enabled to act on behalf of the first user with respect to the second service; and
      
      determining that the particular task complies with the first policy.
  - 19. The computer readable medium of claim 18, wherein:
    - the first policy further defines one or more or more security requirements governing use of a first set of credentials that includes the access information, andproviding the access information from the first set of credentials to the second service comprises transmitting the access information in compliance with the security requirements defined by the first policy.
  - 20. The computer readable medium of claim 16, wherein the access information specifies a message translation required for access to the second service and the computing devices are configured to translate the request by applying the message translation prior to providing the at least part of the access information to the second service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Boulos, Thomas Nabiel, Behera, Prasanta Kumar
Primary Examiner(s)
McNally, Michael S

Application Number

US13/335,592
Publication Number

US 20120096534A1
Time in Patent Office

852 Days
Field of Search

726/8
US Class Current

726/8
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Application identity design

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Application identity design

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links