User-portable device and method of use in a user-centric identity management system

US 8,850,548 B2
Filed: 05/27/2009
Issued: 09/30/2014
Est. Priority Date: 05/27/2008
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a user-portable user computing device including;

a storage comprising a plurality of first user identities,a storage comprising at least one user attribute, anda security token generator operatively coupled to the user attribute storage, wherein the security token generator;

receives a token request in reference to a first user identity of the first user identities from an identity management module executing on a host computing system, the receipt of the token request responsive to a security policy from a relying party,determines that the first user identity satisfies the security policy from among the plurality of first user identities,generates a security token in accordance with the token request, using the at least one user attribute,exports at least one of the plurality of user identities,receives the token request relative to one of the exported identities, andissues the security token based on the token request, using user attribute information associated with the user identities,wherein the security token generator retrieves a set of user attributes to support claim assertions of the security token, and wherein the set is associated with a first information card included in a plurality of selectable information cards containing at least the security token and indicative of the first user identity.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user-portable computing device configured as a smart card enables a user to carry identification information and to generate security tokens for use in authenticating the user to a service provider. The device includes memory for storing user identities as information cards that are exported to a host computer, presented to a user in visual form, and then selected for use in the authentication process. A security token service installed on the device issues a security token in response to a token request sent from the host computer that references the selected user identity. The security token service uses user attribute information stored on the user device to compose the claim assertions needed to issue the security token. The token is returned to the host computer and used to facilitate the authentication process.

Citations

19 Claims

1. A system, comprising:
- a user-portable user computing device including;
  
  a storage comprising a plurality of first user identities,a storage comprising at least one user attribute, anda security token generator operatively coupled to the user attribute storage, wherein the security token generator;
  
  receives a token request in reference to a first user identity of the first user identities from an identity management module executing on a host computing system, the receipt of the token request responsive to a security policy from a relying party,determines that the first user identity satisfies the security policy from among the plurality of first user identities,generates a security token in accordance with the token request, using the at least one user attribute,exports at least one of the plurality of user identities,receives the token request relative to one of the exported identities, andissues the security token based on the token request, using user attribute information associated with the user identities,wherein the security token generator retrieves a set of user attributes to support claim assertions of the security token, and wherein the set is associated with a first information card included in a plurality of selectable information cards containing at least the security token and indicative of the first user identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the user computing device is a personal portable security device.
  - 3. The system of claim 1, wherein the user computing device further comprises:
    - a smart card.
  - 4. The system of claim 1, wherein the plurality of information cards is displayed for a user to view and from which to enter selections.
  - 5. The system of claim 4, wherein the at least one information card comprises:
    - at least one self-issued card; and
      
      at least one third-party managed card.
  - 6. The system of claim 1, further comprises:
    - a service provider environment including at least one identity provider and at least one relying party;
      
      the identity management module executing on a host computing system facilitates online interactions between a user and the service provider environment by managing identity requirements of the interactions;
      
      anda network access connection to enable communications between the identity management module and the service provider environment.
  - 7. The system of claim 6, wherein the identity management module executing on a host computing system:
    - (i) receives identity requirements from the service provider environment relating to a service request, (ii) identifies, as an eligible identity, any user identity among the plurality of first user identities that satisfies the identity requirements, (iii) generates a token request in reference to an eligible user identity, (iv) sends the token request to the security token generator of the user computing device, and (v) receives the security token issued by the security token generator in response to the token request.
  - 8. The system of claim 6, wherein the identity management module further:
    - provides a plurality of second user identities each associated with a respective identity provider;
      
      responsive to a security policy from a relying party, determines whether any user identity satisfies the security policy from among the plurality of first user identities and the plurality of second user identities,enables the user to make a selection from among the user identities determined to satisfy the security policy,responsive to a user selection drawn from the plurality of first user identities, provides a token request based on the selected user identity, communicates the token request to the security token generator of the user computing device, and receives the security token generated thereby, andresponsive to a user selection drawn from the plurality of second user identifies, provides a token request based on the selected user identity, communicates the token request to the identity provider associated with the selected user identity, and receives any security token issued by the identity provider occurring in response to the token request.

9. In an environment including a service provider environment, an identity provider environment, a host computing system, a network connecting the host computing system to the service provider environment and the identity provider environment, and a user-portable user computing device that communicates with the host computing system and including a plurality of first user identities and at least one user attribute, a method, comprising:
- the host computing system generating a token request in reference to a first user identity of the first user identities based on an identity management module executing on the host computing system, responsive to a security policy from a relying party, determining that the first user identity satisfies the security policy from among the plurality of first user identities;
  
  the host computing system exporting at least one user identitythe user computing device receiving the token request relative to one of the exported identities; and
  
  the user computing device issuing a security token according to the token request and the user attribute information associated with the user identities;
  
  wherein a security token generator retrieves a set of user attributes to support claim assertions of the security token, and wherein the set is associated with a first information card included in a plurality of selectable information cards containing at least the security token and indicative of the first user identity.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9, further comprises:
    - the user computing device exporting at least one of the first user identities to the host computing system;
      
      the host computing system presenting at least one of the exported user identities to the user;
      
      the user selecting one of the exported user identities;
      
      the host computing system generating further includes generating a token request based on the selected user identity; and
      
      the host computing system communicating the token request to the user computing device.
  - 11. The method of claim 10, further comprises:
    - the user computing device communicating the security token issued in response to the token request to the host computing system; and
      
      the host computing system presenting the security token to the service provider environment in connection with an identification operation.
  - 12. The method of claim 10, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service;
      
      the host computing system determining whether any of the first user identities satisfies the requirements of the security policy; and
      
      the host computing system presenting further includes presenting only any first user identities determined to satisfy the requirements of the security policy.
  - 13. The method of claim 9, further comprises:
    - the user computing device exporting at least one user identity to the host computing system, in response to an import request from the host computing system; and
      
      the host computing system generating further includes generating a token request using one of the exported identities.
  - 14. The method of claim 9, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service;
      
      the host computing system determining whether any of the first user identities satisfies the requirements of the security policy; and
      
      the host computing system generating further includes generating a token relative to a user-selectable one of the first user identities determined to satisfy the requirements of the security policy.
  - 15. The method of claim 9, further comprises:
    - the host computing system receiving from the service provider environment a security policy having requirements, the security policy communicated in connection with a request for service;
      
      the host computing system providing a plurality of second user identities each associated with a respective identity provider in the identity provider environment;
      
      determining whether any of the first user identities and the second user identities satisfies the security policy requirements;
      
      the user selecting one of the user identities determined to satisfy the security policy requirements;
      
      upon a user selection drawn from the first user identities, the host computing system generating a token request based on the selected user identity, communicating the token request to the user computing device, and receiving the security token generated thereby; and
      
      upon a user selection drawn from the second user identities, the host computing system generating a token request based on the selected user identity, communicating the token request to the identity provider associated with the selected user identity, and receiving any security token issued by the identity provider occurring in response to the token request.

16. A non-transitory computer-readable medium having computer-executable instructions for execution by a processor, that, when executed, cause the processor to:
- receive a token request in reference to one of a plurality of user identities, the plurality of user identities located on the medium, the token request received from an identity management module executing on a host computing system, the receipt of the token request based on the identity management module, responsive to a security policy of a relying party, determining that the one of the plurality of user identities satisfies the security policy from among the plurality of user identities;
  
  generate a security token in accordance with the token request;
  
  export at least one of the plurality of user identities;
  
  receive the token request relative to one of the exported identities; and
  
  issue the security token based on the token request, using user attribute information associated with the at least one of the plurality of user identities;
  
  wherein a security token generator located on the medium retrieves a set of user attributes to support claim assertions of the security token, and wherein the set is associated with a first information card included in a plurality of selectable information cards containing at least the security token and indicative of the first user identity.
- View Dependent Claims (17, 18, 19)
- - 17. The non-transitory computer-readable medium of claim 16, wherein the instructions further cause the processor to:
    - associate each user identity with at least one user attribute located on the medium; and
      
      generate the security token using any user attribute associated with the user identity referenced by the token request.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the instructions further cause the processor to:
    - receive a determination specifying whether any of the user identities satisfies requirements of a security policy; and
      
      export any user identity determined to satisfy requirements of the security policy.
  - 19. The non-transitory computer-readable medium of claim 18, wherein the instructions further cause the processor to:
    - receive a token request made in connection with user selection of one of the exported user identities; and
      
      generate a security token in accordance with the token request relating to the user identity selection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Open Invention Network LLC
Inventors
Ahn, Gail-Joon
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US12/472,512
Publication Number

US 20090300747A1
Time in Patent Office

1,952 Days
Field of Search

726/1, 726/8, 726/9, 726/20, 713/172, 713/185
US Class Current

726/9
CPC Class Codes

G06F 21/34   involving the use of extern...

G06F 21/604   Tools and structures for ma...

G06F 21/6245   Protecting personal data, e...

G06F 21/6263   during internet communicati...

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/0853   using an additional device,...

H04L 63/0876   based on the identity of th...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

User-portable device and method of use in a user-centric identity management system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

User-portable device and method of use in a user-centric identity management system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links