Trusted third party client authentication

US 9,003,189 B2
Filed: 09/11/2012
Issued: 04/07/2015
Est. Priority Date: 09/11/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

receiving, at a video service provider system, a request for an online video session from a third party device with a security markup assertion language (SAML) token as an input, wherein the SAML token is encrypted for the video service provider system and signed by a third party security token service (STS) device, and the third party device is associated with a third party user account and a third party entity;

decrypting a SAML assertion in the SAML token with a private key associated with the video service provider system;

validating the SAML assertion based on a third party public key associated with the third party STS device;

retrieving a third party account user identifier (ID) and a device type from an account link table wherein the account link table includes an authorization identifier, the third party account user ID, the device type, and a link time, wherein the link time identifies a time that the third party user account was linked with a service provider user account associated with the video service provider system;

identifying the link time based on the third party account user identifier;

identifying a password change time (PCT) stamp associated with the service provider user account; and

providing the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes receiving, at a video service provider system, a request for an online video session from a third party device with a security markup assertion language (SAML) token as an input, decrypting a SAML assertion in the SAML token with a private key associated with the video service provider system, validating the SAML assertion based on a third party public key associated with the third party STS, and retrieving a third party account user identifier and a device type. The method also includes identifying a link time based on the third party account user identifier, identifying a password change time (PCT) stamp associated with the service provider user account, and providing the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.

Citations

20 Claims

1. A computer-implemented method comprising:
- receiving, at a video service provider system, a request for an online video session from a third party device with a security markup assertion language (SAML) token as an input, wherein the SAML token is encrypted for the video service provider system and signed by a third party security token service (STS) device, and the third party device is associated with a third party user account and a third party entity;
  
  decrypting a SAML assertion in the SAML token with a private key associated with the video service provider system;
  
  validating the SAML assertion based on a third party public key associated with the third party STS device;
  
  retrieving a third party account user identifier (ID) and a device type from an account link table wherein the account link table includes an authorization identifier, the third party account user ID, the device type, and a link time, wherein the link time identifies a time that the third party user account was linked with a service provider user account associated with the video service provider system;
  
  identifying the link time based on the third party account user identifier;
  
  identifying a password change time (PCT) stamp associated with the service provider user account; and
  
  providing the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The computer-implemented method of claim 1, further comprising:
    - providing notification that the third party user account is not linked with the service provider user account in response to determining that the PCT stamp is later than the link time.
  - 3. The computer-implemented method of claim 1, wherein providing the online video session to the third party device further comprises:
    - providing a success response and a session cookie to the third party device.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving a SAML response from a partner federated STS (FSTS) device, wherein the SAML response includes the SAML assertion signed by a partner identity (ID) STS device and encrypted for the FSTS device;
      
      decrypting the SAML assertion with the private key associated with the video service provider system;
      
      validating the SAML assertion based on the third party public key associated with the third party STS device;
      
      retrieving a party account number associated with the third party user account;
      
      creating the online video session; and
      
      associating the online video session to the party account number.
  - 5. The computer-implemented method of claim 4, further comprising:
    - receiving a link account request from the third party device, wherein the link account request includes a SAML token signed by the third party STS device and encrypted for the video service provider system;
      
      decrypting the SAML assertion with the private key associated with the video service provider system;
      
      validating the SAML assertion based on a third party public key associated with the third party STS device;
      
      retrieving the third party account user ID and the device type; and
      
      creating an entry in the account link table based on the third party account user ID and the party account number.
  - 6. The computer-implemented method of claim 5, wherein creating an entry in an account link table further comprises:
    - identifying the third party user ID, the party account number, the device type, and the link time.
  - 7. The computer-implemented method of claim 1, wherein the SAML token is a SAML 2.0 token.
  - 8. The computer-implemented method of claim 1, further comprising:
    - authenticating the SAML token based on a web services (WS) trust protocol.
  - 9. The computer-implemented method of claim 1, further comprising:
    - encrypting the third party account user identifier, and a party account number based on a public key of the video service provider system.

10. A computer-implemented method comprising:
- sending, from a third party device, a simple object access protocol (SOAP) web services (WS) trust request including service provider login credentials associated with a service provider user account to a partner identity (ID) STS device, wherein the third party device is associated with a third party entity and a third party user account and the partner ID STS device is associated with a partner entity of a service provider entity that manages a video service provider system;
  
  receiving a SOAP response including an a security assertion markup language (SAML) assertion signed by the partner ID STS device and encrypted for a partner federated STS (FSTS) device after the partner ID STS device validates the service provider login credentials;
  
  sending a request for an online video session to the video service provider system;
  
  wherein the video service provider system is to decrypt and validate the SAML assertion, lookup the third party user account from an account link table, wherein the account link table includes an authorization identifier, a third party account user identifier, a device type, and a link time, wherein the link time identifies a time that the third party user account was linked with a service provider user account associated with the video service provider system, identify the link time based on the third party account user identifier, identify a password change time (PCT) stamp associated with the service provider user account and provide the online video session to the third party device in response to determining that the PCT stamp is not later than the link time; and
  
  receiving a success response and a session cookie.
- View Dependent Claims (11, 12, 13)
- - 11. The computer-implemented method of claim 10, further comprising:
    - sending, from the third party device, a request for a SAML token with a third party authorization token to a third party security token service (STS), wherein the third party STS provides authentication in association with the third party device;
      
      receiving a response including the requested SAML token, wherein the third party STS provides the requested SAML token after validation of the third party authorization token and the requested SAML token is signed by the third party STS and encrypted for the video service provider system;
      
      sending a link account request including the requested SAML token to the video service provider system; and
      
      receiving a second success response and the session cookie.
  - 12. The computer-implemented method of claim 11, further comprising:
    - requesting an online video session with the requested SAML token as an input from the video service provider system; and
      
      receiving another success response and a session cookie if the video service provider system determines that the third party user account is associated with a currently linked service provider user account.
  - 13. The computer-implemented method of claim 12, further comprising:
    - receiving a denial message if the video service provider system determines that the third party user account is not associated with a currently linked service provider user account.

14. A video service provider device, comprising:
- a memory to store a plurality of instructions; and
  
  a processor configured to execute instructions in the memory to;
  
  receive a request for an online video session from a third party device, with a security assertion markup language (SAML) token as an input, wherein the SAML token is encrypted for the video service provider device and signed by a third party security token service (STS) device, and the third party device is associated with a third party user account and a third party entity;
  
  decrypt a SAML assertion in the SAML token with a private key associated with the video service provider device;
  
  validate the SAML assertion based on a third party public key associated with the third party STS device;
  
  retrieve a third party account user identifier (ID) and a device type from an account link table, wherein the account link table includes an authorization identifier, the third party account user ID, the device type, and a link time, wherein the link time identifies a time that the third party user account was linked with a service provider user account associated with the video service provider device;
  
  identify a link time based on the third party account user identifier;
  
  identify a password change time (PCT) stamp associated with the service provider user account; and
  
  provide the online video session to the third party device in response to determining that the PCT stamp is not later than the link time.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The new video service provider device of claim 14, wherein the processor is further configured to:
    - receive another request for an online video session with a third party token encrypted for the video service provider device from the third party device, wherein the third party token includes a second SAML assertion signed by a partner identity (ID) STS device and encrypted for a partner federated STS (FSTS) device;
      
      send a simple object access protocol (SOAP) web services (WS) trust request, including the second SAML assertion signed by the partner ID STS device and encrypted for the partner FSTS device, to the partner FSTS device;
      
      receive a SAML response from the partner FSTS device, wherein the SAML response includes the second SAML assertion;
      
      decrypt the second SAML assertion with a private key associated wit the video service provider device;
      
      validate the second SAML assertion based on a third party public key associated with a third party STS device;
      
      retrieve a party account number associated with a third party account;
      
      create the online video session;
      
      associate the online video session with the party account number; and
      
      send success response with a session cookie to the third party device.
  - 16. The video service provider device of claim 15, wherein the processor is further configured to:
    - receive a link account request including a SAML assertion signed by a third party STS device and encrypted for the video service provider device;
      
      decrypt the SAML assertion with a private key associated with the video service provider device;
      
      validate the SAML assertion based on a third party public key associated with the third party STS device;
      
      retrieve a third party account user ID and a device type; and
      
      create an entry in the account link table based on the third party account user ID and a party account number.
  - 17. The video service provider device of claim 16, wherein, when creating the entry in the account link table, the processor is further configured to:
    - identify the third party account user ID, the party account number, the device type of the third party device, and the link time.
  - 18. The video service provider device of claim 14, wherein the processor is further configured to:
    - provide notification that the third party user account is not linked with the service provider user account if the PCT stamp is later than the link time.

19. A system, comprising:
- a third party security token service (STS) device that provides security tokens associated with a third party entity; and
  
  a video service provider system that provides an online video service and is associated with a service provider entity; and
  
  wherein the third party STS device is configured toreceive a simple object access protocol (SOAP) web services (WS) trust request for a security markup assertion language (SAML) token with a third party authorization token from a third party device, wherein the third party device is associated with a third party user account and a third party entity; and
  
  validate the authorization token and provide a SOAP response including a requested SAML token and SAML assertion signed by the third party STS device and encrypted for the video service provider system; and
  
  wherein the video service provider system is configured toreceive a request for an online video session from the third party device,decrypt and validate the SAML assertion,lookup the third party user account from an account link table, wherein the account link table includes an authorization identifier, a third party account user identifier, a device type, and link time, wherein the link time identifies a time that the third party user account was linked with a service provider user account associated with the service provider system;
  
  identify a link time based on a third party account user identifier,identify a password change time (PCT) stamp associated with the service provider user account, andreturn a success response and a session cookie to the third party device if the video service provider system determines that the third party user account is associated with a currently linked service provider user account.
- View Dependent Claims (20)
- - 20. The system of claim 19, further comprising:
    - a partner identity (ID) STS device that provides security tokens associated with a partner entity of the service provider entity; and
      
      a partner federated STS (FSTS) device that manages a partner customer account associated with the video service provider system; and
      
      wherein the partner ID STS device is configured to receive another SOAP WS trust request including service provider login credentials associated with a identified service provider user account from the third party device;
      
      validate the service provider login credentials, andprovide a SOAP response including an SAML assertion signed by the partner ID STS device and encrypted for the partner FSTS device to the third party device;
      
      wherein the video service provider system is further configured to receive a link account request including the requested SAML token from the third party device;
      
      send a further SOAP WS trust request to the partner FSTS device;
      
      receive a SAML response from the partner FSTS device; and
      
      send a second HTTP 200 response and a session cookie to the third party device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Yin, Fenglin, Hao, Jack Jianxiu
Primary Examiner(s)
Schwartz, Darren B
Assistant Examiner(s)
MURPHY, JOSEPH B

Application Number

US13/609,530
Publication Number

US 20140075188A1
Time in Patent Office

938 Days
Field of Search

713/168, 713/150, 713/170, 713/182
US Class Current

713/168
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/335   for accessing specific reso...

H04L 2463/101   applying security measures ...

H04L 63/06   for supporting key manageme...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 67/146   Markers for unambiguous ide...

Trusted third party client authentication

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Trusted third party client authentication

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links