Multi-hop single sign-on (SSO) for identity provider (IdP) roaming/proxy
First Claim
Patent Images
1. An apparatus, comprising:
- one or more non-transitory, computer-readable media having instructions; and
one or more processors coupled with the one or more non-transitory, computer-readable media, the one or more processors to execute the instructions to cause a first identity provider (IdP), which provides a first identity associated with a user, to operate as a proxy, for a second IdP that provides a second identity associated with the user, to enable the second identity to be used to obtain authorized access to a service of a service provider that recognizes the first identity,wherein the service provider is distinct from the first and second IdPs and to operate as the proxy to enable the second identity to be used to obtain authorized access to the service, the first IdP is to;
receive, from a user equipment (UE), an authentication request for the service, wherein the authentication request is redirected from the service provider to the apparatus;
send, based on the authentication request, a communication directly to the second IdP to initiate an authentication process with the second IdP using the second identity; and
if the second identity is determined by the first IdP to be authenticated by the authentication process, send to the service provider through the UE an assert message associated with the first identity to enable the authorized access to the service.
5 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the present disclosure describe methods, apparatuses, and systems related to using an identity provider (IdP) as a proxy for another IdP. Other embodiments may be described and/or claimed.
25 Citations
8 Claims
-
1. An apparatus, comprising:
-
one or more non-transitory, computer-readable media having instructions; and one or more processors coupled with the one or more non-transitory, computer-readable media, the one or more processors to execute the instructions to cause a first identity provider (IdP), which provides a first identity associated with a user, to operate as a proxy, for a second IdP that provides a second identity associated with the user, to enable the second identity to be used to obtain authorized access to a service of a service provider that recognizes the first identity, wherein the service provider is distinct from the first and second IdPs and to operate as the proxy to enable the second identity to be used to obtain authorized access to the service, the first IdP is to; receive, from a user equipment (UE), an authentication request for the service, wherein the authentication request is redirected from the service provider to the apparatus; send, based on the authentication request, a communication directly to the second IdP to initiate an authentication process with the second IdP using the second identity; and if the second identity is determined by the first IdP to be authenticated by the authentication process, send to the service provider through the UE an assert message associated with the first identity to enable the authorized access to the service. - View Dependent Claims (2)
-
-
3. An article of manufacture, comprising:
a non-transitory computer-readable medium having computer-readable instructions stored thereon and executable by a processor of a first identity provider (IdP) corresponding to a first identity, to; receive, from a user equipment (UE), a request to authenticate a first identity that is redirected from a service provider to the first IdP; in response to receipt of the request to authenticate the first identity, determine that the first identity is linked to a user having a second identity corresponding to a second IdP; obtain, directly from the second IdP, an assertion that the second identity is authenticated with the second IdP; and in response to the obtained assertion that the second identity is authenticated with the second IdP, transmit an assert message to the service provider through the UE to assert verification of the first identity to enable authorized access of the UE to a service of the service provider that recognizes the first identity. - View Dependent Claims (4, 5, 6)
-
7. One or more non-transitory, computer-readable media having instructions that, when executed by a network device implements a first identity provider (IdP) that provides a first identity associated with a user as a proxy for a second IdP that provides a second identity associated with the user to enable the second identity to be used to obtain authorized access to a service of a service provider that recognizes the first identity, wherein the service provider is distinct from the first and second IdPs and the first IdP is to:
-
receive an authentication request from a user equipment for the service, wherein the authentication request is redirected from the service provider to the network device; send, based on the authentication request, a communication directly to the second IdP to initiate an authentication process with the second IdP for the second identity; determine that the second identity is to be authenticated by the authentication process; and send, based on said determination, to the service provider through the UE an assert message associated with the first identity to enable the authorized access to the service. - View Dependent Claims (8)
-
Specification