Invocation of third party's service

US 8,838,986 B2
Filed: 09/23/2011
Issued: 09/16/2014
Est. Priority Date: 08/08/2005
Status: Active Grant

First Claim

Patent Images

1. A method for invoking a computer-implemented service on a computer system including at least one processor, the method comprising:

receiving a request from a delegate user to invoke a service on behalf of a managing user authorized to invoke the service, the managing user different than the delegate user, the request including a security token specific to the delegate user and including at least one of an identity token specific to the managing user and a pointer to the identity token specific to the managing user;

authenticating, via the at least one processor, the delegate user based on the security token;

identifying one or more service features of the service that the delegate user is authorized to invoke on behalf of the managing user based on the identity token and the security token; and

enabling the delegate user to invoke the identified one or more service features on behalf of the managing user.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Invoking a computer implemented service includes receiving a request from a first user to access a service associated with a second user. The request is associated with a security token for the first user and an identity token for the second user. The acceptability of the security token is determined to authenticate the first user, and the acceptability of the identity token is determined to securely identify the second user. The first user is able to access the service associated with the second user conditioned on the security token being determined to be acceptable and the identity token being determined to be acceptable.

28 Citations

View as Search Results

18 Claims

1. A method for invoking a computer-implemented service on a computer system including at least one processor, the method comprising:
- receiving a request from a delegate user to invoke a service on behalf of a managing user authorized to invoke the service, the managing user different than the delegate user, the request including a security token specific to the delegate user and including at least one of an identity token specific to the managing user and a pointer to the identity token specific to the managing user;
  
  authenticating, via the at least one processor, the delegate user based on the security token;
  
  identifying one or more service features of the service that the delegate user is authorized to invoke on behalf of the managing user based on the identity token and the security token; and
  
  enabling the delegate user to invoke the identified one or more service features on behalf of the managing user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 17)
- - 2. The method of claim 1, wherein the delegate user is not a registered user of the service.
  - 3. The method of claim 1, wherein receiving the request from the delegate user comprises receiving a message from the delegate user that includes a header portion comprising the identity token.
  - 4. The method of claim 3, wherein the header portion additionally includes the security token or a pointer to the security token.
  - 5. The method of claim 4, wherein the security token or the pointer to the security token is contained in a security context in the header portion.
  - 6. The method of claim 5, wherein the security context comprises a Web Services Security (WS-Security) context.
  - 7. The method of claim 1, wherein the one or more service features that the delegate user is authorized to invoke on behalf of the managing user are identified according to one or more rules for permissible use of the security token.
  - 8. The method of claim 1, wherein the security token comprises a Security Assertions Mark-up Language (SAML) assertion or a SAML authentication assertion.
  - 17. The method of claim 1, further comprising:
    - determining the acceptability of the identity token based on the validity of the identity token and one or more rules for permissible use of the identity token.

9. A non-transitory computer-readable medium comprising instructions that are executed by at least one processor to cause the at least one processor to perform steps comprising:
- receiving a request from a delegate user to invoke a service on behalf of a managing user authorized to invoke the service, the managing user different than the delegate user, the request including a security token specific to the delegate user and including at least one of an identity token specific to the managing user and a pointer to the identity token specific to the managing user;
  
  authenticating the delegate user based on the security token;
  
  identifying one or more service features of the service that the delegate user is authorized to invoke on behalf of the managing user based on the identity token and the security token; and
  
  enabling the delegate user to invoke the identified one or more service features on behalf of the managing user.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 18)
- - 10. The non-transitory computer-readable medium of claim 9, wherein the delegate user is not a registered user of the service.
  - 11. The non-transitory computer-readable medium of claim 9, wherein receiving the request from the delegate user comprises receiving a message from the delegate user that includes a header portion comprising the identity token.
  - 12. The non-transitory computer-readable medium of claim 11, wherein the header portion additionally includes the security token or a pointer to the security token.
  - 13. The non-transitory computer-readable medium of claim 12, wherein the security token or the pointer to the security token is contained in a security context in the header portion.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the security context comprises a Web Services Security (WS-Security) context.
  - 15. The non-transitory computer-readable medium of claim 9, wherein the one or more service features that the delegate user is authorized to invoke on behalf of the managing user are identified according to one or more rules for permissible use of the security token.
  - 16. The non-transitory computer-readable medium of claim 9, wherein the security token comprises a Security Assertions Mark-up Language (SAML) assertion or a SAML authentication assertion.
  - 18. The non-transitory computer-readable medium of claim 9, further comprising instructions for:
    - determining the acceptability of the identity token based on the validity of the identity token and one or more rules for permissible use of the identity token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Cahill, Conor P.
Primary Examiner(s)
Rahman, Mohammad L

Application Number

US13/243,790
Publication Number

US 20120017269A1
Time in Patent Office

1,089 Days
Field of Search

726/2, 713/182
US Class Current

713/182
CPC Class Codes

G06Q 10/10 Office automation; Time man...

G06Q 20/367 involving electronic purses...

Invocation of third party's service

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

28 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Invocation of third party's service

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links