Home realm discovery in mixed-mode federated realms

US 8,978,115 B2
Filed: 11/15/2013
Issued: 03/10/2015
Est. Priority Date: 11/09/2011
Status: Active Grant

First Claim

Patent Images

1. A computer program product comprising one or more hardware storage devices having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause the computer system to perform a method for authenticating identities within a mixed realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising acts of:

receiving at a service a request to access one or more services provided by the service, the request issuing from an identity within a mixed authentication realm that includes one or both of direct authentication identities and federated authentication identities;

determining whether the identity that issued the request is a direct authentication identity or a federated authentication identity;

upon determining the identity that issued the request is a direct authentication identity, then the service responding to the request for service with a direct authentication interface enabling entry of a direct authentication credential at the service for the identity that issued the request;

upon determining the identity that issued the request is determined to be a federated authentication identity, then the service responding to the request for service with a federated authentication interface, the federated authentication interface providing a redirection instruction to authenticate with a third party identity provider in order to receive authentication credentials for use at the service;

when the identity is determined to be invalid, then performing further acts of;

pseudo-randomly choosing either the direct authentication interface or the federated authentication interface; and

responding to the request for service with the pseudo-randomly chosen direct authentication interface or federated authentication interface, the pseudo-randomly chosen direct authentication interface or federated authentication interface enabling entry of a credential for the identity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The authentication of identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication. Requests for service from valid identities in the realm that are to be authenticated by direct authentication are responded to with a direct authentication interface. Requests for service from valid identities in the realm that are to be authenticated by federated authentication are responded to with a federated authentication interface. Requests for service from invalid identities are responded to pseudo-randomly with either the direct authentication interface or the federated authentication interface.

Citations

20 Claims

1. A computer program product comprising one or more hardware storage devices having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, cause the computer system to perform a method for authenticating identities within a mixed realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising acts of:
- receiving at a service a request to access one or more services provided by the service, the request issuing from an identity within a mixed authentication realm that includes one or both of direct authentication identities and federated authentication identities;
  
  determining whether the identity that issued the request is a direct authentication identity or a federated authentication identity;
  
  upon determining the identity that issued the request is a direct authentication identity, then the service responding to the request for service with a direct authentication interface enabling entry of a direct authentication credential at the service for the identity that issued the request;
  
  upon determining the identity that issued the request is determined to be a federated authentication identity, then the service responding to the request for service with a federated authentication interface, the federated authentication interface providing a redirection instruction to authenticate with a third party identity provider in order to receive authentication credentials for use at the service;
  
  when the identity is determined to be invalid, then performing further acts of;
  
  pseudo-randomly choosing either the direct authentication interface or the federated authentication interface; and
  
  responding to the request for service with the pseudo-randomly chosen direct authentication interface or federated authentication interface, the pseudo-randomly chosen direct authentication interface or federated authentication interface enabling entry of a credential for the identity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer program product in accordance with claim 1, wherein the method is performed by a service provider or application.
  - 3. The computer program product in accordance with claim 2, wherein the federated authentication interface prompts a user to negotiate authentication with a third-party identity provider to receive credentials that may then be provided back to the service provider or application.
  - 4. The computer program product in accordance with claim 3, wherein the third-party identity provider is an enterprise identity provider.
  - 5. The computer program product in accordance with claim 3, wherein the third-party identity provider is a consumer identity provider.
  - 6. The computer program product in accordance with claim 1, wherein the act of pseudo-randomly choosing either the direct authentication interface or the federated authentication interface includes, for each of such requests for service from invalid identities:
    - an act of encrypting the invalid identity;
      
      an act of hashing the encryption of the invalid identity; and
      
      an act of determining whether to respond with the direct authentication interface or the federated authentication interface based on the hash result of the invalid identity.
  - 7. The computer program product in accordance with claim 6 wherein the act of pseudo-randomly choosing either the direct authentication interface or the federated authentication interface includes, for each of such requests for service from invalid identities, an authentication process that provides timing consistency, a deterministic authentication methodology on a per identifier basis, and a proportionate result consistent with the relative proportion of valid direct authentication identities and valid federated authentication identities within the mixed authentication realm.
  - 8. The computer program product in accordance with claim 1, wherein each of the three acts of responding take approximately the same amount of time.
  - 9. The computer program product in accordance with claim 1, wherein the act of pseudo-randomly choosing either the direct authentication interface or the federated authentication interface results in the same determination for any given invalid entity each time a request is made on behalf of the invalid identity.

10. A method, implemented at a computer system that includes one or more processors, for authenticating identities within a realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, the method comprising the following acts:
- receiving at a service hosted by the computing system a first request for service associated with a first identity in a mixed authentication realm that includes one or both of direct authentication identities and federated authentication identities;
  
  determining at the service that the first identity is a direct authentication identity;
  
  the service responding to the first request for service with a direct authentication interface, the direct authentication interface enabling entry of a direct authentication credential for the first identity;
  
  receiving at the service a second request for service associated with a second identity in the mixed authentication realm;
  
  determining at the service that the second identity is a federated authentication identity;
  
  the service responding to the second request for service with a federated authentication interface, the federated authentication interface that provides a redirection instruction to authenticate with a third party identity provider in order to receive authentication credentials for use at the service;
  
  receiving at the service a third request for service associated with a third identity in the mixed authentication realm;
  
  determining at the service that the third identity is not a valid identity within the mixed authentication realm;
  
  pseudo-randomly determining at the service whether to respond with the direct authentication interface or the federated authentication interface; and
  
  the service responding to the third request for service with the pseudo-randomly determined authentication interface, the pseudo-randomly determined authentication interface enabling entry of a credential for the third entity.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The method in accordance with claim 10, wherein the act of the computer system pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface includes, for each of such requests for service from invalid identities:
    - an act of encrypting the invalid third identity;
      
      an act of hashing the encryption of the invalid third identity; and
      
      an act of determining whether to respond with the direct authentication interface or the federated authentication interface based on the hash result of the invalid third identity.
  - 12. The method in accordance with claim 11, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in the same determination each time a request is made on behalf of the third identity.
  - 13. The method in accordance with claim 11, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in an aggregated proportion of determination that is approximately the same as a proportion the number of the plurality of identities in the realm that are to be authenticated by direct authentication to the number of the plurality of identities in the realm that are to be authenticated by federated authentication.
  - 14. The method in accordance with claim 10, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in the same determination each time a request is made on behalf of the third identity.
  - 15. The method in accordance with claim 10, wherein the act of pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in an aggregated proportion of determination that is approximately the same as a proportion the number of the plurality of identities in the realm that are to be authenticated by direct authentication to the number of the plurality of identities in the realm that are to be authenticated by federated authentication.
  - 16. The method in accordance with claim 10, wherein the act of responding to the first request, the act of responding to the second request, and the act of responding to the third request take approximately the same amount of time such that it cannot be inferred based on the timing of the response whether the identity is a valid identity or an invalid identity.

17. A computer system, comprising:
- one or more processors; and
  
  one or more hardware storage devices having stored thereon computer-executable instructions that are structured such that, when executed the one or more processors, cause the computer system to authenticate identities within a mixed realm in which some identities are authenticated using direct authentication, and some identities are authenticated using federated authentication, including the following;
  
  receiving a request for service from an identity within a mixed authentication realm; and
  
  determining whether the identity is a valid identity within the realm, andwhen the identity is determined to be valid and the identity is a direct authentication identity, responding to the request for service with a direct authentication interface, the direct authentication interface enabling entry of a direct authentication credential for the identity;
  
  when the identity is determined to be valid and the identity is a federated authentication identity, responding to the request for service with a federated authentication interface, the federated authentication interface enabling entry of a federated authentication credential for the identity; and
  
  when the identity is determined to be invalid, rather than providing an error message in response to the request, an act of responding to the request for service by performing the further acts of;
  
  pseudo-randomly choosing either the direct authentication interface or the federated authentication interface; and
  
  responding to the request for service with the pseudo-randomly chosen direct authentication interface or federated authentication interface, the pseudo-randomly chosen direct authentication interface or federated authentication interface enabling entry of a credential for the identity.
- View Dependent Claims (18, 19, 20)
- - 18. The system in accordance with claim 17, wherein pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface includes, for each of such requests for service from invalid identities:
    - an act of encrypting the invalid third identity;
      
      an act of hashing the encryption of the invalid third identity; and
      
      an act of determining whether to respond with the direct authentication interface or the federated authentication interface based on the hash result of the invalid third identity.
  - 19. The system in accordance with claim 18 wherein the act of pseudo-randomly choosing either the direct authentication interface or the federated authentication interface includes, for each of such requests for service from invalid identities, an authentication process that provides timing consistency, a deterministic authentication methodology on a per identifier basis, and a proportionate result consistent with the relative proportion of valid direct authentication identities and valid federated authentication identities within the mixed authentication realm.
  - 20. The system in accordance with claim 17, wherein the pseudo-randomly determining whether to respond with the direct authentication interface or the federated authentication interface results in an aggregated proportion of determination that is approximately the same as a proportion the number of the plurality of identities in the realm that are to be authenticated by direct authentication to the number of the plurality of identities in the realm that are to be authenticated by federated authentication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gordon, Ariel, Nicholson, David J.
Primary Examiner(s)
ZAIDI, SYED A

Application Number

US14/081,135
Publication Number

US 20140075529A1
Time in Patent Office

480 Days
Field of Search

726/5, 726/7, 726/27, 713/169
US Class Current

726/5
CPC Class Codes

G06F 21/31 User authentication

H04L 63/08 for authentication of entit...

Home realm discovery in mixed-mode federated realms

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Home realm discovery in mixed-mode federated realms

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links