Multi-hop single sign-on (SSO) for identity provider (IdP) roaming/proxy

US 9,258,344 B2
Filed: 12/19/2011
Issued: 02/09/2016
Est. Priority Date: 08/01/2011
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

one or more non-transitory, computer-readable media having instructions; and

one or more processors coupled with the one or more non-transitory, computer-readable media, the one or more processors to execute the instructions to cause a first identity provider (IdP), which provides a first identity associated with a user, to operate as a proxy, for a second IdP that provides a second identity associated with the user, to enable the second identity to be used to obtain authorized access to a service of a service provider that recognizes the first identity,wherein the service provider is distinct from the first and second IdPs and to operate as the proxy to enable the second identity to be used to obtain authorized access to the service, the first IdP is to;

receive, from a user equipment (UE), an authentication request for the service, wherein the authentication request is redirected from the service provider to the apparatus;

send, based on the authentication request, a communication directly to the second IdP to initiate an authentication process with the second IdP using the second identity; and

if the second identity is determined by the first IdP to be authenticated by the authentication process, send to the service provider through the UE an assert message associated with the first identity to enable the authorized access to the service.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present disclosure describe methods, apparatuses, and systems related to using an identity provider (IdP) as a proxy for another IdP. Other embodiments may be described and/or claimed.

25 Citations

View as Search Results

8 Claims

1. An apparatus, comprising:
- one or more non-transitory, computer-readable media having instructions; and
  
  one or more processors coupled with the one or more non-transitory, computer-readable media, the one or more processors to execute the instructions to cause a first identity provider (IdP), which provides a first identity associated with a user, to operate as a proxy, for a second IdP that provides a second identity associated with the user, to enable the second identity to be used to obtain authorized access to a service of a service provider that recognizes the first identity,wherein the service provider is distinct from the first and second IdPs and to operate as the proxy to enable the second identity to be used to obtain authorized access to the service, the first IdP is to;
  
  receive, from a user equipment (UE), an authentication request for the service, wherein the authentication request is redirected from the service provider to the apparatus;
  
  send, based on the authentication request, a communication directly to the second IdP to initiate an authentication process with the second IdP using the second identity; and
  
  if the second identity is determined by the first IdP to be authenticated by the authentication process, send to the service provider through the UE an assert message associated with the first identity to enable the authorized access to the service.
- View Dependent Claims (2)
- - 2. The apparatus of claim 1 wherein the service includes a web service and wherein the first IdP is to operate as the proxy in a wireless or wired communication network.

3. An article of manufacture, comprising:
- a non-transitory computer-readable medium having computer-readable instructions stored thereon and executable by a processor of a first identity provider (IdP) corresponding to a first identity, to;
  
  receive, from a user equipment (UE), a request to authenticate a first identity that is redirected from a service provider to the first IdP;
  
  in response to receipt of the request to authenticate the first identity, determine that the first identity is linked to a user having a second identity corresponding to a second IdP;
  
  obtain, directly from the second IdP, an assertion that the second identity is authenticated with the second IdP; and
  
  in response to the obtained assertion that the second identity is authenticated with the second IdP, transmit an assert message to the service provider through the UE to assert verification of the first identity to enable authorized access of the UE to a service of the service provider that recognizes the first identity.
- View Dependent Claims (4, 5, 6)
- - 4. The article of manufacture of claim 3 wherein to determine that the first identity is linked to the user having the second identity, the computer-readable instructions are executable by the processor to check a stored subscription that pertains to the second identity.
  - 5. The article of manufacture of claim 3 wherein the computer-readable medium further includes computer-readable instructions that are executable by the processor to:
    - provide the first identity;
      
      enable the service to be accessed according to a single sign-on (SSO) process using the first identity; and
      
      enable the service to be accessed according to the SSO process using the second identity.
  - 6. The article of manufacture of claim 3 wherein the computer-readable medium further includes computer-readable instructions that are executable by the processor to:
    - in response to a determination that the second identity is not requested to be used to access the service, assert verification of the first identity to enable the first identity to be used to access the service.

7. One or more non-transitory, computer-readable media having instructions that, when executed by a network device implements a first identity provider (IdP) that provides a first identity associated with a user as a proxy for a second IdP that provides a second identity associated with the user to enable the second identity to be used to obtain authorized access to a service of a service provider that recognizes the first identity, wherein the service provider is distinct from the first and second IdPs and the first IdP is to:
- receive an authentication request from a user equipment for the service, wherein the authentication request is redirected from the service provider to the network device;
  
  send, based on the authentication request, a communication directly to the second IdP to initiate an authentication process with the second IdP for the second identity;
  
  determine that the second identity is to be authenticated by the authentication process; and
  
  send, based on said determination, to the service provider through the UE an assert message associated with the first identity to enable the authorized access to the service.
- View Dependent Claims (8)
- - 8. The one or more non-transitory, computer-readable media of claim 7, wherein the service includes a web service and wherein the first IdP is to operate as the proxy in a wireless or wired communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc., Intel Corporation
Original Assignee
Intel Corporation, Intel Deutschland GmbH (Intel Corporation)
Inventors
Sharaga, Avishay, Luft, Achim
Primary Examiner(s)
Vaughan, Michael R

Application Number

US13/995,118
Publication Number

US 20130276085A1
Time in Patent Office

1,513 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

H04L 63/102   Entity profiles

H04L 65/1069   Session establishment or de...

H04L 65/60   Network streaming of media ...

H04L 65/70   Media network packetisation

H04L 65/75   Media network packet handling

H04L 65/80   Responding to QoS

H04L 67/148   Migration or transfer of se...

H04L 67/303   Terminal profiles

H04N 21/25833   involving client hardware c...

H04N 21/2662   Controlling the complexity ...

Y02D 30/70   in wireless communication n...

Multi-hop single sign-on (SSO) for identity provider (IdP) roaming/proxy

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Multi-hop single sign-on (SSO) for identity provider (IdP) roaming/proxy

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links