Federated identity broker

US 8,856,957 B1
Filed: 12/22/2011
Issued: 10/07/2014
Est. Priority Date: 12/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

registering, by a federated identity broker application executing on one or more computing devices, a first customer as an identity provider;

registering, by the federated identity broker application, a second customer as an identity consumer;

supplying to the second customer a set of registered identity providers that have registered with the federated identity broker application, the set identifying at least the first customer as a trusted provider; and

acting as an intermediary between the first customer and the second customer to broker an identity request from the second customer that is granted or denied by the first customer by;

receiving, by the federated identity broker application, the identity request from the second customer in an inbound flow;

changing, by the federated identity broker application, a permission associated with the identity request;

generating, by the federated identity broker application, a broker identity request using at least information associated with the identity request and including the changed permission; and

transmitting, by the federated identity broker application, the broker identity request, including the changed permission, to the first customer on a separate outbound flow.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A federated identity system is described. A federated identity broker registers a first customer as an identity provider and a second customer as an identity consumer. The federated identity broker acts as an intermediary between the first customer and the second customer, to broker an identity request from the first customer that is fulfilled by the second customer.

Citations

16 Claims

1. A method, comprising:
- registering, by a federated identity broker application executing on one or more computing devices, a first customer as an identity provider;
  
  registering, by the federated identity broker application, a second customer as an identity consumer;
  
  supplying to the second customer a set of registered identity providers that have registered with the federated identity broker application, the set identifying at least the first customer as a trusted provider; and
  
  acting as an intermediary between the first customer and the second customer to broker an identity request from the second customer that is granted or denied by the first customer by;
  
  receiving, by the federated identity broker application, the identity request from the second customer in an inbound flow;
  
  changing, by the federated identity broker application, a permission associated with the identity request;
  
  generating, by the federated identity broker application, a broker identity request using at least information associated with the identity request and including the changed permission; and
  
  transmitting, by the federated identity broker application, the broker identity request, including the changed permission, to the first customer on a separate outbound flow.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the permission describes access to a resource authenticated by the second customer.
  - 3. The method of claim 2, wherein the permission is at least a read access permission or a write access permission.
  - 4. The method of claim 1, wherein the permission grants access to at least of a plurality of resources accessible by the first customer.
  - 5. The method of claim 1, wherein the first customer and the second customer have no predefined identity consumer-provider relationship.
  - 6. The method of claim 1, further comprising supplying to the second customer a set of registered identity providers that have registered with the federated identity broker application, the set identifying at least the first customer as a trusted provider.
  - 7. The method of claim 6, further comprising receiving, from the second customer, a selection of the first customer as the trusted provider.

8. A system, comprising:
- at least one computing device; and
  
  the at least one computing device executing a federated identity broker application, the federated identity broker application comprising;
  
  logic that registers a first customer as an identity provider on request by the first customer;
  
  logic that registers a second customer as an identity consumer on request by the second customer;
  
  logic that receives a first identity request from the second customer on an inbound flow;
  
  logic that generates a changed permission associated with the first identity request;
  
  logic that generates a broker identity request using at least information associated with the first identity request and including the changed permission;
  
  logic that sends the broker identity request to the first customer on an outbound flow separate from the inbound flow, brokering the first identity request from the second customer that is granted or denied by the first customer; and
  
  logic that requests an end user of the first customer to approve the first identity request, wherein the logic that sends the broker identity request to the first customer on the outbound flow is conditional upon approval by the end user.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The system of claim 8, wherein the broker identity request is implemented using an OAuth protocol.
  - 10. The system of claim 8, wherein the federated identity broker application further comprises logic that modifies the first identity request to produce the broker identity request.
  - 11. The system of claim 8, wherein the federated identity broker application further comprises logic that receives a second identity request from an end user of the first customer.
  - 12. The system of claim 8, wherein the federated identity broker application further comprises:
    - logic that receives a first response to the broker identity request from the first customer; and
      
      logic that sends a second response to the second customer, the second response based at least in part on the first response.
  - 13. The system of claim 12, wherein the first response is selected from the group consisting of a grant and a deny.

14. A non-transitory computer readable medium embodying a program executable by at least one computing device the program configured to cause the at least one computing device to at least:
- registering, by a federated identity broker application executing on the at least one computing device, a first customer as an identity provider;
  
  registering, by the federated identity broker application, a second customer as an identity consumer;
  
  supplying, by the federated identity broker application, to the second customer a set of registered identity providers that have registered with the federated identity broker application, the set identifying at least the first customer as a trusted provider; and
  
  acting as an intermediary between the first customer and the second customer to broker an identity request from the second customer that is granted or denied by the first customer by;
  
  receiving, by the federated identity broker application, the identity request from the second customer in an inbound flow;
  
  changing, by the federated identity broker application, a permission associated with the identity request;
  
  generating, by the federated identity broker application, a broker identity request using at least information associated with the identity request and including the changed permission; and
  
  transmitting, by the federated identity broker application, the broker identity request, including the changed permission, to the first customer on a separate outbound flow.
- View Dependent Claims (15, 16)
- - 15. The non-transitory computer readable medium of claim 14, wherein the permission describes access to a resource authenticated by the second customer.
  - 16. The non-transitory computer readable medium of claim 14, wherein the permission is at least a read access permission or a write access permission.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Roth, Gregory B., O'Neill, Kevin Ross, Brandwine, Eric Jason, Crahen, Eric D., Ilac, Cristian M.
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/334,490
Time in Patent Office

1,020 Days
Field of Search

726/27, 726/28, 726/29, 726/26, 713/154, 713/155, 713/156, 713/157, 705/35, 705/14
US Class Current

726/28
CPC Class Codes

G06F 21/33 using certificates

H04L 63/0884 by delegation of authentica...

Federated identity broker

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Federated identity broker

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links