Identity assertion framework

US 8,990,557 B2
Filed: 02/17/2011
Issued: 03/24/2015
Est. Priority Date: 02/17/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a processor-implemented first security token service configured to receive a request for a first token from a consumer and to issue the first token to the consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider;

a processor-implemented second service provider within a second security domain, configured toreceive the first token andmake a determination that the first token is valid in the second security domain;

a hardware-processor-implemented second security token service configured toreceive the first token from the second service provider based on the determination that the first token is valid in the second security domain,make a determination that the first token was issued by the first security token service, andvalidate the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and

a processor-implemented central authority configured to issue a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to the first service provider in the first security domain, and being accepted by the third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for implementing an identity assertion framework to authenticate a user in a federation of security domains are provided. A first security token service (STS) is configured to receive a request for a first token from a consumer and to issue the first token to the consumer. The first STS is associated with a first security domain, and the first token is issued according to a first issuing policy of the first security domain. A service provider within a second security domain receives the first token and makes a determination whether the first token is invalid in the second security domain. A second STS receives the first token from the service provider, determines that the first token was issued by the first STS, and validates the first token according to a federation policy between the first security domain and the second security domain.

28 Citations

View as Search Results

19 Claims

1. A system comprising:
- a processor-implemented first security token service configured to receive a request for a first token from a consumer and to issue the first token to the consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider;
  
  a processor-implemented second service provider within a second security domain, configured toreceive the first token andmake a determination that the first token is valid in the second security domain;
  
  a hardware-processor-implemented second security token service configured toreceive the first token from the second service provider based on the determination that the first token is valid in the second security domain,make a determination that the first token was issued by the first security token service, andvalidate the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and
  
  a processor-implemented central authority configured to issue a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to the first service provider in the first security domain, and being accepted by the third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 15, 16)
- - 2. The system of claim 1, wherein the central authority is further configured to manage the centralized federation policy.
  - 3. The system of claim 1, wherein the second security token service is a token authenticator within the central authority.
  - 4. The system of claim 1, wherein the second security token service is within the second security domain.
  - 5. The system of claim 4, wherein the second security token service is further configured to issue a second token to the consumer according to the local federation policy, the second token issued according to a second issuing policy of the second security domain.
  - 6. The system of claim 1, further comprising a processor-implemented identity provider configured to perform an initial authentication of the consumer.
  - 7. The system of claim 6, wherein the second security token service is further configured to resolve the first issuing policy and a second issuing policy within a federation using a key identifying the first security domain and the identity provider.
  - 8. The system of claim 1, further comprising a processor-implemented identity assertion framework configured to identify the second service provider using a key.
  - 9. The system of claim 1, wherein the second service provider is to authenticate the first token based on a policy associated with the second security domain.
  - 10. The system of claim 1, wherein the first token is exchanged with the federation token.
  - 15. The method of claim 1, further comprising, at an identity provider, performing an initial authentication of the consumer.
  - 16. The method of claim 15, further comprising resolving the first issuing policy and a second issuing policy within a federation using a key identifying the first security domain and the identity provider.

11. A method comprising:
- at a first security token service,receiving a request for a first token from a consumer, andissuing the first token to a consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider;
  
  at a second service provider within a second security domain,receiving the first token andmaking a determination that the first token is valid in the second security domain;
  
  at a second security token service,receiving the first token from the second service provider based on the determination that the first token is valid in the second security domain,determining, using one or more hardware processors, that the first token was issued by the first security token service,validating the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and
  
  at a central authority, issuing a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to the first service provider in the first security domain, and being accepted by the third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions.
- View Dependent Claims (12, 13, 14, 17, 18)
- - 12. The method of claim 11, further comprising managing the centralized federation policy at the central authority.
  - 13. The method of claim 11, further comprising arranging the second security token service to be located within the second security domain.
  - 14. The method of claim 13, further comprising, at the second security token service, issuing a second token to the consumer according to the local federation policy, the second token issued according to a second issuing policy of the second security domain.
  - 17. The method of claim 11, further comprising identifying the second service provider using a key.
  - 18. The method of claim 11, further comprising, at the second service provider, authenticating the first token based on a policy associated with the second security domain.

19. A non-transitory computer-readable medium comprising instructions that when executed by one or more hardware processors, cause the one or more hardware processors to perform operations comprising:
- at a first security token service,receiving a request for a first token from a consumer, andissuing the first token to a consumer, the first security token service associated with a first security domain, the first token issued according to a first issuing policy of the first security domain, the first security domain including a first service provider;
  
  at a second service provider within a second security domain,receiving the first token andmaking a determination that the first token is valid in the second security domain;
  
  at a second security token service,receiving the first token from the second service provider based on the determination that the first token is valid in the second security domain,determining that the first token was issued by the first security token service,validating the first token according to a local federation policy that defines a federation agreement between the first security domain and the second security domain; and
  
  at a central authority, issuing a federation token based on identifying a centralized federation policy of the central authority that defines a federation agreement between the first and a third security domains, the federation token being valid to a third service provider in the third security domain and to first service provider in the first security domain, and being accepted by third service provider in the third security domain and the first service provider in the first security domain in allowing the consumer to invoke consumer sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eBay Inc.
Original Assignee
eBay Inc.
Inventors
Kassaei, Farhang, Deshmukh, Neeti, Johnson, Peter, Travostino, Franco, Khanna, Sachin, Bahety, Anand, Antony, Benoy
Primary Examiner(s)
HOLDER, BRADLEY W

Application Number

US13/029,871
Publication Number

US 20120216268A1
Time in Patent Office

1,496 Days
Field of Search

713/159, 713/150, 713/155, 713/168, 713/172
US Class Current

713/159
CPC Class Codes

G06F 21/335   for accessing specific reso...

H04L 63/20   for managing network securi...

H04L 9/3234   involving additional secure...

Identity assertion framework

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Identity assertion framework

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links