Home realm discovery in mixed-mode federated realms
First Claim
1. A computer program product comprising one or more hardware storage devices having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause the computer system to perform a method for authenticating identities within a mixed realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising acts of:
- receiving at a service a request to access one or more services provided by the service, the request issuing from an identity within a mixed authentication realm that includes one or both of direct authentication identities and federated authentication identities;
determining whether the identity that issued the request is a direct authentication identity or a federated authentication identity;
upon determining the identity that issued the request is a direct authentication identity, then the service responding to the request for service with a direct authentication interface enabling entry of a direct authentication credential at the service for the identity that issued the request;
upon determining the identity that issued the request is determined to be a federated authentication identity, then the service responding to the request for service with a federated authentication interface, the federated authentication interface providing a redirection instruction to authenticate with a third party identity provider in order to receive authentication credentials for use at the service;
when the identity is determined to be invalid, then performing further acts of;
pseudo-randomly choosing either the direct authentication interface or the federated authentication interface; and
responding to the request for service with the pseudo-randomly chosen direct authentication interface or federated authentication interface, the pseudo-randomly chosen direct authentication interface or federated authentication interface enabling entry of a credential for the identity.
2 Assignments
0 Petitions
Accused Products
Abstract
The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.
-
Citations
20 Claims
-
1. A computer program product comprising one or more hardware storage devices having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause the computer system to perform a method for authenticating identities within a mixed realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising acts of:
-
receiving at a service a request to access one or more services provided by the service, the request issuing from an identity within a mixed authentication realm that includes one or both of direct authentication identities and federated authentication identities; determining whether the identity that issued the request is a direct authentication identity or a federated authentication identity; upon determining the identity that issued the request is a direct authentication identity, then the service responding to the request for service with a direct authentication interface enabling entry of a direct authentication credential at the service for the identity that issued the request; upon determining the identity that issued the request is determined to be a federated authentication identity, then the service responding to the request for service with a federated authentication interface, the federated authentication interface providing a redirection instruction to authenticate with a third party identity provider in order to receive authentication credentials for use at the service; when the identity is determined to be invalid, then performing further acts of; pseudo-randomly choosing either the direct authentication interface or the federated authentication interface; and responding to the request for service with the pseudo-randomly chosen direct authentication interface or federated authentication interface, the pseudo-randomly chosen direct authentication interface or federated authentication interface enabling entry of a credential for the identity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method, implemented at a computer system that includes one or more processors, for authenticating identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising the following acts:
-
receiving at a service hosted by the computing system a first request for service associated with a first identity in a mixed authentication realm that includes one or both of direct authentication identities and federated authentication identities; determining at the service that the first identity is a direct authentication identity; the service responding to the first request for service with a direct authentication interface, the direct authentication interface enabling entry of a direct authentication credential for the first identity; receiving at the service a second request for service associated with a second identity in the mixed authentication realm; determining at the service that the second identity is a federated authentication identity; the service responding to the second request for service with a federated authentication interface, the federated authentication interface that provides a redirection instruction to authenticate with a third party identity provider in order to receive authentication credentials for use at the service; receiving at the service a third request for service associated with a third identity in the mixed authentication realm; determining at the service that the third identity is not a valid identity within the mixed authentication realm; pseudo-randomly determining at the service whether to respond with the direct authentication interface or the federated authentication interface; and the service responding to the third request for service with the pseudo-randomly determined authentication interface, the pseudo-randomly determined authentication interface enabling entry of a credential for the third entity. - View Dependent Claims (11, 12, 13, 14, 15, 16)
-
-
17. A computer system, comprising:
-
one or more processors; and one or more hardware storage devices having stored thereon computer-executable instructions that are structured such that, when executed the one or more processors, cause the computer system to authenticate identities within a mixed realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, including the following; receiving a request for service from an identity within a mixed authentication realm; and determining whether the identity is a valid identity within the realm, and when the identity is determined to be valid and the identity is a direct authentication identity, responding to the request for service with a direct authentication interface, the direct authentication interface enabling entry of a direct authentication credential for the identity; when the identity is determined to be valid and the identity is a federated authentication identity, responding to the request for service with a federated authentication interface, the federated authentication interface enabling entry of a federated authentication credential for the identity; and when the identity is determined to be invalid, rather than providing an error message in response to the request, an act of responding to the request for service by performing the further acts of; pseudo-randomly choosing either the direct authentication interface or the federated authentication interface; and responding to the request for service with the pseudo-randomly chosen direct authentication interface or federated authentication interface, the pseudo-randomly chosen direct authentication interface or federated authentication interface enabling entry of a credential for the identity. - View Dependent Claims (18, 19, 20)
-
Specification