Relying party platform/framework for access management infrastructures

US 9,043,886 B2
Filed: 05/04/2012
Issued: 05/26/2015
Est. Priority Date: 09/29/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor;

a non-transitory computer-readable storage medium;

a mapping repository configured to store a mapping between applications and identity providers, wherein the mapping associates each application of a plurality of applications with one or more identity providers;

identity management logic configured to use the mapping to determine that one or more first identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of a first application in response to receiving a first request associated with the first application;

said non-transitory computer-readable storage medium storing instructions that cause said processor to;

receive the first request specifying the first application;

invoke a first identity provider of a plurality of identity providers to authenticate an entity associated with the first request based on a first mapping between the first application and the first identity provider;

wherein the identity management logic is further configured to;

determine that a first user of the first application has been authenticated using the first identity provider of the one or more first identity providers;

determine, in response to a request from the first application to perform an action associated with a second application, that the first application is a trusted application with respect to the second application based at least in part on the determination that the first user of the first application has been authenticated using the first identity provider;

generate a token that enables the first application to perform the action on the second application;

receive a second request specifying a second application different from the first application; and

invoke a second identity provider of the plurality of identity providers to authenticate an entity associated with the second request based on a second mapping between the second application and the second identity provider; and

wherein the first identity provider differs from the second identity provider.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A framework is provided for integrating Internet identities in enterprise identity and access management (IAM) infrastructures. A framework is provided for open authorization. A framework is also provided for relying party functionality. A mapping repository can be configured to store a mapping between applications and identity providers. The mapping associates each application of a plurality of applications with one or more identity providers. Identity management logic can be configured to use the mapping to determine that one or more identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of the first application in response to receiving a first request associated with a first application.

72 Citations

View as Search Results

17 Claims

1. A system, comprising:
- a processor;
  
  a non-transitory computer-readable storage medium;
  
  a mapping repository configured to store a mapping between applications and identity providers, wherein the mapping associates each application of a plurality of applications with one or more identity providers;
  
  identity management logic configured to use the mapping to determine that one or more first identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of a first application in response to receiving a first request associated with the first application;
  
  said non-transitory computer-readable storage medium storing instructions that cause said processor to;
  
  receive the first request specifying the first application;
  
  invoke a first identity provider of a plurality of identity providers to authenticate an entity associated with the first request based on a first mapping between the first application and the first identity provider;
  
  wherein the identity management logic is further configured to;
  
  determine that a first user of the first application has been authenticated using the first identity provider of the one or more first identity providers;
  
  determine, in response to a request from the first application to perform an action associated with a second application, that the first application is a trusted application with respect to the second application based at least in part on the determination that the first user of the first application has been authenticated using the first identity provider;
  
  generate a token that enables the first application to perform the action on the second application;
  
  receive a second request specifying a second application different from the first application; and
  
  invoke a second identity provider of the plurality of identity providers to authenticate an entity associated with the second request based on a second mapping between the second application and the second identity provider; and
  
  wherein the first identity provider differs from the second identity provider.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, further comprising:
    - credential management logic configured to generate credential collection data for use with a credential collection interface in response to determining that the one or more first identity providers can be used to perform authentication activities on behalf of the first application, wherein the credential collection data identifies at least one of the one or more first identity providers.
  - 3. The system of claim 2, further comprising:
    - presentation logic configured to generate a user interface using the credential collection data, wherein the user interface includes one or more authentication user interface elements for collecting authentication credentials.
  - 4. The system of claim 2, wherein the identity management logic is further configured to use the mapping to determine that one or more identity providers of a second plurality of identity providers can be used to perform authentication activities on behalf of the second application in response to receiving the second request associated with the second application.
  - 5. The system of claim 2, wherein:
    - the identity management logic is further configured to retrieve identity data from the first identity provider in response to receiving authentication credential information associated with the first identity provider, wherein the identity data includes first user identifying information;
      
      the credential management logic is further configured to generate an identity collection interface and pre-populate one or more user input elements of the identity collection interface with at least the first user identifying information;
      
      the system further includes account creation logic configured to generate a local account that includes the first user identifying information in response to receiving a request associated with the identity collection interface;
      
      wherein the first identity provider is an external identity provider.
  - 6. The system of claim 2, wherein:
    - the second application is a different application than the first application; and
      
      at least one of the identity providers in a first set of identity providers is not in a second set of identity providers.

7. A method, comprising:
- storing, on a computer-readable storage medium, a mapping between applications and identity providers, wherein the mapping associates each application of a plurality of applications with one or more identity providers;
  
  using the mapping to determine that one or more first identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of a first application in response to receiving a first request associated with the first application;
  
  receiving the first request specifying the first application;
  
  invoking, by a computer processor, a first identity provider of a plurality of identity providers to authenticate an entity associated with the first request based on a first mapping between the first application and the first identity provider;
  
  determining that a first user of the first application has been authenticated using the first identity provider of the one or more first identity providers;
  
  in response to a request from the first application to perform an action associated with a second application, determining that the first application is a trusted application with respect to the second application based at least in part on the determination that the first user of the first application has been authenticated using the first identity provider;
  
  generating a token that enables the first application to perform the action on the second application;
  
  receiving a second request specifying a second application different from the first application; and
  
  invoking, by a computer processor, a second identity provider of the plurality of identity providers to authenticate an entity associated with the second request based on a second mapping between the second application and the second identity provider;
  
  wherein the first identity provider differs from the second identity provider; and
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, further comprising:
    - in response to determining that the one or more first identity providers can be used to perform authentication activities on behalf of the first application, generating credential collection data for use with a credential collection interface, wherein the credential collection data identifies at least one of the one or more first identity providers.
  - 9. The method of claim 8, further comprising:
    - generating a user interface using the credential collection data, wherein the user interface includes one or more authentication user interface elements for collecting authentication credentials.
  - 10. The method of claim 8, further comprising:
    - in response to receiving the second request, using the mapping to determine that one or more identity providers of a second plurality of identity providers can be used to perform authentication activities on behalf of the second application.
  - 11. The method of claim 8, further comprising:
    - in response to receiving authentication credential information associated with the first identity provider, retrieving identity data from the first identity provider, wherein the identity data includes first user identifying information;
      
      generating an identity collection interface, wherein one or more user input elements of the identity collection interface are pre-populated with at least the first user identifying information;
      
      in response to receiving a request associated with the identity collection interface, generating a local account that includes the first user identifying information;
      
      wherein the first identity provider is an external identity provider.
  - 12. The method of claim 8, wherein:
    - the second application is a different application than the first application; and
      
      at least one of the identity providers in a first set of identity providers is not in a second set of identity providers.

13. A computer-readable non-transitory storage medium storing a plurality of instructions executable by one or more processors, the plurality of instructions comprising:
- storing a mapping between applications and identity providers, wherein the mapping associates each application of a plurality of applications with one or more identity providers;
  
  using the mapping to determine that one or more first identity providers of a first plurality of identity providers can be used to perform authentication activities on behalf of a first application in response to receiving a first request associated with the first application;
  
  receiving the first request specifying the first application;
  
  invoking a first identity provider of a plurality of identity providers to authenticate an entity associated with the first request based on a first mapping between the first application and the first identity provider;
  
  determining that a first user of the first application has been authenticated using the first identity provider of the one or more first identity providers;
  
  in response to a request from the first application to perform an action associated with a second application, determining that the first application is a trusted application with respect to the second application based at least in part on the determination that the first user of the first application has been authenticated using the first identity provider;
  
  generating a token that enables the first application to perform the action on the second application;
  
  receiving a second request specifying a second application different from the first application; and
  
  invoking a second identity provider of the plurality of identity providers to authenticate an entity associated with the second request based on a second mapping between the second application and the second identity provider;
  
  wherein the first identity provider differs from the second identity provider.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-readable storage medium of claim 13, wherein the plurality of instructions further include instructions that cause the one or more processors to perform:
    - in response to determining that the one or more first identity providers can be used to perform authentication activities on behalf of the first application, generating credential collection data for use with a credential collection interface, wherein the credential collection data identifies at least one of the one or more first identity providers.
  - 15. The computer-readable storage medium-of claim 14, wherein the plurality of instructions further include instructions that cause the one or more processors to perform:
    - generating a user interface using the credential collection data, wherein the user interface includes one or more authentication user interface elements for collecting authentication credentials.
  - 16. The computer-readable storage medium of claim 14, wherein the plurality of instructions further include instructions that cause the one or more processors to perform:
    - in response to receiving the second request, using the mapping to determine that one or more identity providers of a second plurality of identity providers can be used to perform authentication activities on behalf of the second application.
  - 17. The computer-readable storage medium of claim 14, wherein the plurality of instructions further include instructions that cause the one or more processors to perform:
    - in response to receiving authentication credential information associated with the first identity provider, retrieving identity data from the first identity provider, wherein the identity data includes first user identifying information;
      
      generating an identity collection interface, wherein one or more user input elements of the identity collection interface are pre-populated with at least the first user identifying information;
      
      in response to receiving a request associated with the identity collection interface, generating a local account that includes the first user identifying information;
      
      wherein the first identity provider is an external identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Srinivasan, Venkataraman Uppili, Angal, Rajeev, Sondhi, Ajay, Bhat, Shivaram
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
SONG, HEE K

Application Number

US13/464,880
Publication Number

US 20130086657A1
Time in Patent Office

1,117 Days
Field of Search

726 5- 9
US Class Current

726/6
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/10   for controlling access to d...

H04L 9/3234   involving additional secure...

Relying party platform/framework for access management infrastructures

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Relying party platform/framework for access management infrastructures

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links