Just in time visitor authentication and visitor access media issuance for a physical site

US 8,847,729 B2
Filed: 08/29/2011
Issued: 09/30/2014
Est. Priority Date: 08/29/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A method of issuing a visitor access medium to a visitor for access to a visitor access medium controlled physical site of a host organization, comprising:

receiving, by at least one processor of a host organization system for a host organization of a physical site, a request, by a visitor with an identifier of a visitor organization, for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship according to a federation standard between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor comprising authentication information for the visitor organization system to authenticate the identity of the visitor according to the federation standard, wherein the host organization system does not separately maintain information for authenticating the identity of the visitor;

identifying, by the at least one processor, the visitor organization system from among a plurality of visitor organization systems with which the host organization system maintains separate electronic trust relationships according to the federation standard;

sending, by the at least one processor, a request to the visitor organization system to provide access to the visitor;

receiving, by the at least one processor, a login interface for the visitor from the visitor organization system;

outputting, by the at least one processor, the login interface for the visitor to enter identifying information;

sending, by the at least one processor, the identifying information input by the visitor through the login interface to the visitor organization system according to the federation standard;

receiving, by the at least one processor, an identity provider token dispensed by the visitor organization system according to the federation standard identifying the identity of the visitor is verified by the visitor organization system from the identifying information authenticating in the electronic identity profile for the visitor;

responsive to validating the identity provider token is from the visitor organization system, dispensing, by the at least one processor, a resource token from the host organization system according to the federation standard validating the identity of the visitor by the visitor organization system, wherein at least one assertion in the identity provider token authenticating the identity of the visitor is copied into the resource token, wherein the host organization system implements the authentication process through the existing electronic trust relationship with the visitor organization system to generate the resource token to authenticate the visitor for access to both the electronic services of the host organization system and for access to the physical site;

translating, by the at least one processor, data in the resource token specified according to the federation standard into a physical access control system request for the visitor access medium formatted for calling a physical access control system application programming interface; and

sending, by a visitor access service of the host organization system, the physical access control system request to a visitor provision service interface layer atop a physical access control system to call the physical access control system application program interface, for adding the visitor to the physical access control system and triggering issuance of the visitor access medium for the visitor, wherein the visitor provision service layer provides an interface between the host organization system and the physical access control system, wherein the visitor provision service layer distributes the physical access control system request to at least one physical access control system provider comprising the physical access control system application program interface of the physical access control system, wherein each physical access control system provider provisions access by the visitor using the physical visitor access medium by each of a plurality of door controllers for controlling access to the physical site.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A host organization system for a host organization of a physical site, receives a request, by a visitor with an identifier of a visitor organization for a visitor access medium, for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor. Responsive to the host organization system receiving an authenticated identifier for the visitor from the visitor organization system and validating the authenticated identifier from the visitor organization system, issuing a visitor access medium to the visitor for controlling access to the physical site.

Citations

14 Claims

1. A method of issuing a visitor access medium to a visitor for access to a visitor access medium controlled physical site of a host organization, comprising:
- receiving, by at least one processor of a host organization system for a host organization of a physical site, a request, by a visitor with an identifier of a visitor organization, for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship according to a federation standard between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor comprising authentication information for the visitor organization system to authenticate the identity of the visitor according to the federation standard, wherein the host organization system does not separately maintain information for authenticating the identity of the visitor;
  
  identifying, by the at least one processor, the visitor organization system from among a plurality of visitor organization systems with which the host organization system maintains separate electronic trust relationships according to the federation standard;
  
  sending, by the at least one processor, a request to the visitor organization system to provide access to the visitor;
  
  receiving, by the at least one processor, a login interface for the visitor from the visitor organization system;
  
  outputting, by the at least one processor, the login interface for the visitor to enter identifying information;
  
  sending, by the at least one processor, the identifying information input by the visitor through the login interface to the visitor organization system according to the federation standard;
  
  receiving, by the at least one processor, an identity provider token dispensed by the visitor organization system according to the federation standard identifying the identity of the visitor is verified by the visitor organization system from the identifying information authenticating in the electronic identity profile for the visitor;
  
  responsive to validating the identity provider token is from the visitor organization system, dispensing, by the at least one processor, a resource token from the host organization system according to the federation standard validating the identity of the visitor by the visitor organization system, wherein at least one assertion in the identity provider token authenticating the identity of the visitor is copied into the resource token, wherein the host organization system implements the authentication process through the existing electronic trust relationship with the visitor organization system to generate the resource token to authenticate the visitor for access to both the electronic services of the host organization system and for access to the physical site;
  
  translating, by the at least one processor, data in the resource token specified according to the federation standard into a physical access control system request for the visitor access medium formatted for calling a physical access control system application programming interface; and
  
  sending, by a visitor access service of the host organization system, the physical access control system request to a visitor provision service interface layer atop a physical access control system to call the physical access control system application program interface, for adding the visitor to the physical access control system and triggering issuance of the visitor access medium for the visitor, wherein the visitor provision service layer provides an interface between the host organization system and the physical access control system, wherein the visitor provision service layer distributes the physical access control system request to at least one physical access control system provider comprising the physical access control system application program interface of the physical access control system, wherein each physical access control system provider provisions access by the visitor using the physical visitor access medium by each of a plurality of door controllers for controlling access to the physical site.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, where receiving, by at least one processor of a host organization system for a host organization of the physical site, a request by a visitor with an identifier of a visitor organization for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, further comprises:
    - receiving, by the at least one processor, the request by the visitor physically present at a visitor check-in point of the physical site through a browser window of the visitor check-in point.
  - 3. The method according to claim 1, wherein receiving, by the at least one processor, an identity provider token dispensed by the visitor organization system according to the federation standard identifying the identity of the visitor is verified by the visitor organization system from the identifying information authenticating in the electronic identity profile for the visitor, further comprises:
    - responsive to a visitor interface of the host organization system receiving the identity provider token, redirecting the identity provider token from the visitor interface to a resource secure token service of the host organization system; and
      
      responsive to the resource secure token service receiving the identity provider token, validating the identity provider token by authenticating that an identity provider secure token service of the visitor organization system sent the identity provider token according to the federation standard.
  - 4. The method according to claim 1, wherein receiving, by at least one processor of a host organization system for a host organization of the physical site, a request by a visitor with an identifier of a visitor organization for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship according to a federation standard between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor, further comprises:
    - establishing the electronic trust relationship between the host organization system and the visitor organization system under the federation standard comprising a WS-Federation protocol.
  - 5. The method according to claim 1, wherein sending, by a visitor access service of the host organization system, the physical access control system request to a visitor provision service interface layer atop a physical access control system to call the physical access control system application program interface, for adding the visitor to the physical access control system and triggering issuance of the visitor access medium for the visitor, wherein the visitor provision service layer provides an interface between the host organization system and the physical access control system, wherein the visitor provision service layer distributes the physical access control system request to at least one physical access control system provider comprising the physical access control system application program interface of the physical access control system, wherein each physical access control system provider provisions access by the visitor using the physical visitor access medium by each of a plurality of door controllers, further comprises:
    - sending by the visitor provision service interface layer of the host organization system, an instruction to issue the visitor access medium to a particular physical access provision system provider of the host organizations system at a visitor check-in point of the host organization system receiving the request by the visitor; and
      
      outputting, by the particular physical access provision system provider, a physical visitor access medium specified in the instruction.

6. A system for issuing a visitor access medium to a visitor for access to a visitor access medium controlled physical site of a host organization, comprising:
- one or more processors;
  
  a host organization system, for execution by at least one of said one or more processors, operative to receive, for a host organization of a physical site, a request, by a visitor with an identifier of a visitor organization, for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship according to a federation standard between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor comprising authentication information for the visitor organization system to authenticate the identity of the visitor according to the federation standard, wherein the host organization system does not separately maintain information for authenticating the identity of the visitor;
  
  the host organization system operative to identify the visitor organization system from among a plurality of visitor organization systems with which the host organization system maintains separate electronic trust relationships according to the federation standard;
  
  the host organization system operative to send a request to the visitor organization system to provide access to the visitor;
  
  the host organization system operative to receive a login interface for the visitor from the visitor organization system;
  
  the host organization system operative to output the login interface for the visitor to enter identifying information;
  
  the host organization system operative to send the identifying information input by the visitor through the login interface to the visitor organization system according to the federation standard;
  
  the host organization system operative to receive an identity provider token dispensed by the visitor organization system according to the federation standard identifying the identity of the visitor is verified by the visitor organization system from the identifying information authenticating in the electronic identity profile for the visitor;
  
  the host organization system, responsive to validating the identity provider token is from the visitor organization system, operative to dispense a resource token from the host organization system according to the federation standard validating the identity of the visitor by the visitor organization system, wherein at least one assertion in the identity provider token authenticating the identity of the visitor is copied into the resource token, wherein the host organization system implements the authentication process through the existing electronic trust relationship with the visitor organization system to generate the resource token to authenticate the visitor for access to both the electronic services of the host organization system and for access to the physical site;
  
  the host organization system, operative to translate data in the resource token specified according to the federation standard into a physical access control system request for the visitor access medium formatted for calling a physical access control system application programming interface; and
  
  the host organization system, operative to send, by a visitor access service of the host organization system, the physical access control system request to a visitor provision service interface layer atop a physical access control system to call the physical access control system application program interface, for adding the visitor to the physical access control system and triggering issuance of the visitor access medium for the visitor, wherein the visitor provision service layer provides an interface between the host organization system and the physical access control system, wherein the visitor provision service layer distributes the physical access control system request to at least one physical access control system provider comprising the physical access control system application program interface of the physical access control system, wherein each physical access control system provider provisions access by the visitor using the physical visitor access medium by each of a plurality of door controllers for controlling access to the physical site.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The system according to claim 6, where the host organization system operative to receive a request by a visitor with an identifier of a visitor organization for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, further comprises:
    - the host organization system operative to receive the request by the visitor physically present at a visitor check-in point of the physical site through a browser window of the visitor check-in point.
  - 8. The system according to claim 6, wherein the host organization system operative to receive an identity provider token dispensed by the visitor organization system according to the federation standard identifying the identity of the visitor is verified by the visitor organization system from the identifying information authenticating in the electronic identity profile for the visitor, further comprises:
    - the host organization system, responsive to a visitor interface of the host organization system receiving the identity provider token, operative to redirect the identity provider token from the visitor interface to a resource secure token service of the host organization system; and
      
      the host organization system, responsive to the resource secure token service receiving the identity provider token, operative to validate the identity provider token by authenticating that an identity provider secure token service of the visitor organization system sent the identity provider token according to the federation standard.
  - 9. The system according to claim 6, wherein a host organization system, operative to receive, for a host organization of the physical site, a request by a visitor with an identifier of a visitor organization for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship according to the federation standard between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor, further comprises:
    - the host organization system operative to establish the electronic trust relationship between the host organization system and the visitor organization system under the federation standard comprising a WS-Federation protocol.
  - 10. The system according to claim 6, wherein the host organization system, operative to send, by a visitor access service of the host organization system, the physical access control system request to a visitor provision service interface layer atop a physical access control system to call the physical access control system application program interface, for adding the visitor to the physical access control system and triggering issuance of the visitor access medium for the visitor, wherein the visitor provision service layer provides an interface between the host organization system and the physical access control system, wherein the visitor provision service layer distributes the physical access control system request to at least one physical access control system provider comprising the physical access control system application program interface of the physical access control system, wherein each physical access control system provider provisions access by the visitor using the physical visitor access medium by each of a plurality of door controllers, further comprises:
    - the visitor provision service interface layer of the host organization system operative to send an instruction to issue the visitor access medium to a particular physical access provision system provider of the host organizations system at a visitor check-in point of the host organization system receiving the request by the visitor; and
      
      the particular physical access provision system provider operative to output a physical visitor access medium specified in the instruction.

11. A computer program product for issuing a visitor access medium to a visitor for access to a visitor access medium controlled physical site of a host organization, comprising:
- one or more computer-readable, tangible non-transitory storage devices;
  
  program instructions, stored on at least one of the one or more storage devices to receive, for a host organization system of a host organization of a physical site, a request, by a visitor with an identifier of a visitor organization, for a visitor access medium for access to the physical site controlled by a physical access control system requiring presentation of the visitor access medium for access to the physical site, wherein there is an electronic trust relationship according to a federation standard between the host organization system and a visitor organization system for the visitor organization via a network, wherein the visitor organization system maintains an electronic identity profile for the visitor comprising authentication information for the visitor organization system to authenticate the identity of the visitor according to the federation standard, wherein the host organization system does not separately maintain information for authenticating the identity of the visitor;
  
  program instructions, stored on at least one of the one or more storage devices to identify the visitor organization system from among a plurality of visitor organization systems with which the host organization system maintains separate electronic trust relationships according to the federation standard;
  
  program instructions, stored on at least one of the one or more storage devices to send a request to the visitor organization system to provide access to the visitor;
  
  program instructions, stored on at least one of the one or more storage devices to receive a login interface for the visitor from the visitor organization system;
  
  program instructions, stored on at least one of the one or more storage devices to output the login interface for the visitor to enter identifying information;
  
  program instructions, stored on at least one of the one or more storage devices to send the identifying information input by the visitor through the login interface to the visitor organization system according to the federation standard;
  
  program instructions, stored on at least one of the one or more storage devices to receive an identity provider token dispensed by the visitor organization system according to the federation standard identifying the identity of the visitor is verified by the visitor organization system from the identifying information authenticating in the electronic identity profile for the visitor,program instructions, stored on at least one of the one or more storage devices, responsive to validating the identity provider token is from the visitor organization system, to dispense a resource token from the host organization system according to the federation standard validating the identity of the visitor by the visitor organization system, wherein at least one assertion in the identity provider token authenticating the identity of the visitor is copied into the resource token, wherein the host organization system implements the authentication process through the existing electronic trust relationship with the visitor organization system to generate the resource token to authenticate the visitor for access to both the electronic services of the host organization system and for access to the physical site;
  
  program instructions, stored on at least one of the one or more storage devices to translate data in the resource token specified according to the federation standard into a physical access control system request for the visitor access medium formatted for calling a physical access control system application programming interface; and
  
  program instructions, stored on at least one of the one or more storage devices to send the physical access control system request to a visitor provision service interface layer atop a physical access control system to call the physical access control system application program interface, for adding the visitor to the physical access control system and triggering issuance of the visitor access medium for the visitor, wherein the visitor provision service layer provides an interface between the host organization system and the physical access control system, wherein the visitor provision service layer distributes the physical access control system request to at least one physical access control system provider comprising the physical access control system application program interface of the physical access control system, wherein each physical access control system provider provisions access by the visitor using the physical visitor access medium by each of a plurality of door controllers for controlling access to the physical site.
- View Dependent Claims (12, 13, 14)
- - 12. The computer program product according to claim 11, further comprising:
    - program instructions, stored on at least one of the one or more storage devices to receive the request by the visitor physically present at a visitor check-in point of the physical site through a browser window of the visitor check-in point.
  - 13. The computer program product according to claim 11, further comprising:
    - program instructions, stored on at least one of the one or more storage devices, responsive to a visitor interface of the host organization system receiving the identity provider token, to redirect the identity provider token from the visitor interface to a resource secure token service of the host organization system; and
      
      program instructions, stored on at least one of the one or more storage devices, responsive to the resource secure token service receiving the identity provider token, to validate the identity provider token by authenticating that an identity provider secure token service of the visitor organization system sent the identity provider token according to the federation standard.
  - 14. The computer program product according to claim 11, further comprising:
    - program instructions, stored on at least one of the one or more storage devices to send an instruction to issue the visitor access medium to a particular physical access provision system provider of the host organizations system at a visitor check-in point of the host organization system receiving the request by the visitor; and
      
      program instructions, stored on at least one of the one or more storage devices to control output of a physical visitor access medium specified in the instruction.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Moore, David P., Pearson, Craig
Primary Examiner(s)
Lee, Benjamin C
Assistant Examiner(s)
PHAM, QUANG

Application Number

US13/219,833
Publication Number

US 20130049928A1
Time in Patent Office

1,128 Days
Field of Search

340/5.51, 340/5.2, 726/9, 726/2, 726/4, 726/8, 726/12, 726/21, 713/168, 713/170
US Class Current

340/5.51
CPC Class Codes

G07B 15/00 Arrangements or apparatus f...

G07C 11/00 Arrangements, systems or ap...

Just in time visitor authentication and visitor access media issuance for a physical site

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Just in time visitor authentication and visitor access media issuance for a physical site

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links