Using cached security tokens in an online service

US 8,850,550 B2
Filed: 11/23/2010
Issued: 09/30/2014
Est. Priority Date: 11/23/2010
Status: Active Grant

First Claim

Patent Images

1. A method for using cached security tokens in an online service, comprising:

receiving a request over a network from a client for a resource of the online service, wherein the request comprises an identity claim that uniquely identifies an externally stored first security token, and wherein the externally stored first security token is different from the identity claim and is stored in memory in a location that is separate from the request;

determining that the first security token is no longer valid;

revoking the identity claim by deleting the first security token from the memory;

attempting to access with the identity claim, the externally stored first security token;

when the first security token is not found at the online service;

sending the identity claim to a token issuing authority to generate a second security token; and

determining, with the second security token, when to provide the resource to the client.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security token service generates a security token for a user that is associated with a client and stores the full security token within a memory. The security token includes an identity claim that represents the identity of the generated security token. Instead of passing the entire security token back to the client, the identity claim is returned to the client. For each request the client makes to the service, the client passes the identity claim in the request instead of the full security token having all of the claims. The identity claim is much smaller then the full security token. When a computing device receives the identity claim within the request from the user, the identity claim is used to access the full security token that is stored in memory.

175 Citations

17 Claims

1. A method for using cached security tokens in an online service, comprising:
- receiving a request over a network from a client for a resource of the online service, wherein the request comprises an identity claim that uniquely identifies an externally stored first security token, and wherein the externally stored first security token is different from the identity claim and is stored in memory in a location that is separate from the request;
  
  determining that the first security token is no longer valid;
  
  revoking the identity claim by deleting the first security token from the memory;
  
  attempting to access with the identity claim, the externally stored first security token;
  
  when the first security token is not found at the online service;
  
  sending the identity claim to a token issuing authority to generate a second security token; and
  
  determining, with the second security token, when to provide the resource to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 16)
- - 2. The method of claim 1, further comprising generating a security token for the client and storing the generated security token in the memory;
    - wherein the generated security token comprises claims, wherein at least one of the claims generated is an identity claim that is used in identifying the generated security token.
  - 3. The method of claim 2, wherein storing the generated security token in the memory comprises storing the claims of the security token in binary form in the memory.
  - 4. The method of claim 1, wherein the memory is at least one of:
    - a cache and a distributed cache.
  - 5. The method of claim 1, wherein the security token is a Security Assertion Markup Language (SAML) token.
  - 6. The method of claim 1, wherein the identity claim comprises UserIdentity+“
    - ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)).
  - 7. The method of claim 1, wherein the identity claim comprises UserIdentity+“
    - ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)),AudienceURI.
  - 16. The method of claim 1, wherein the identity claim is smaller in size than the security token uniquely identified by the identity claim.

8. A computer-readable storage medium, excluding a signal, having computer-executable instructions for using cached security tokens for users, comprising:
- receiving a request from a client for a resource that is located within a network;
  
  wherein the request comprises an identity claim that uniquely identifies an externally stored first Security Assertion Markup Language (SAML) token, and wherein the first SAML token is stored in memory within the network and is separate from the request;
  
  determining that the first SAML token is no longer valid;
  
  revoking the identity claim by deleting the first SAML token from the memory;
  
  attempting to access, with the identity claim, the externally stored first SAML token;
  
  when the first SAML token is not found on the network;
  
  sending the identity claim to a token issuing authority to generate a second SAML token; and
  
  determining, with the second SAML token, when to provide the resource to the client.
- View Dependent Claims (9, 10, 11, 12, 17)
- - 9. The computer-readable storage medium of claim 8, further comprising generating a SAML token for the client and storing the generated SAML token in the memory;
    - wherein the generated SAML token comprises claims, wherein at least one of the claims generated is an identity claim that is used in identifying the generated SAML token.
  - 10. The computer-readable storage medium of claim 9, wherein storing the generated SAML token in the memory comprises storing the claims of the SAML token in binary form in the memory.
  - 11. The computer-readable storage medium of claim 8, wherein the memory is at least one of:
    - a cache and a distributed cache that is within the network.
  - 12. The computer-readable storage medium of claim 8, wherein the identity claim comprises one of:
    - UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)) and UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)),AudienceURI.
  - 17. The method of claim 8, wherein the identity claim is smaller in size than the security token uniquely identified by the identity claim.

13. A system for routing requests in an online service, comprising:
- a processor and a computer-readable medium, excluding a signal;
  
  an operating environment stored on the computer-readable medium and executing on the processor;
  
  a security token service that provides a security token service that is used to generate security tokens for users in a network, wherein the generated security tokens comprise claims, wherein at least one of the claims generated is an identity claim that is used in identifying the generated security token;
  
  wherein the identity claim is returned to the client instead of returning the generated security token;
  
  wherein at least one computing device in the online service is configured to perform actions, comprising;
  
  receiving a request from a client for a resource that is located within the network;
  
  wherein the request comprises an identity claim that uniquely identifies an externally stored first security token from the request, wherein the externally stored first security token is stored in memory within the network;
  
  determining that the first security token is no longer valid;
  
  revoking the identity claim by deleting the first security token from the memory;
  
  attempting to access with the identity claim, the externally stored first security token;
  
  when the first security token is not found on the network;
  
  sending the identity claim to a token issuing authority to generate a second security token; and
  
  determining, with the second security token, when to provide the resource to the client.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein accessing the security token using the identity claim that is contained within the received request comprises determining a tenancy that is associated with the client and accessing the security token that is associated with the determined tenancy for the client.
  - 15. The system of claim 13, wherein the identity claim comprises one of:
    - UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)) and UserIdentity+“
      
      ,”
      
      +ExpirationTime+“
      
      ,”
      
      +Base64(RSA-SHA2-256 signature of (UserIdentity+“
      
      ,”
      
      +ExpirationTime)),AudienceURI.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Zhigu Holdings Limited
Original Assignee
Microsoft Corporation
Inventors
Dalzell, Javier, Hopmann, Alexander, Nguyen, Huy
Primary Examiner(s)
Louie, Oscar
Assistant Examiner(s)
NGUYEN, HAO HONG

Application Number

US12/953,379
Publication Number

US 20120131660A1
Time in Patent Office

1,407 Days
Field of Search
US Class Current

726/9
CPC Class Codes

G06F 21/335   for accessing specific reso...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2149   Restricted operating enviro...

H04L 63/062   for key distribution, e.g. ...

H04L 63/0815   providing single-sign-on or...

H04L 63/168   above the transport layer

H04L 9/3213   using tickets or tokens, e....

Using cached security tokens in an online service

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

175 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Using cached security tokens in an online service

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

175 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links