System and method for pool-based identity authentication for service access without use of stored credentials

US 9,319,394 B2
Filed: 05/29/2014
Issued: 04/19/2016
Est. Priority Date: 05/13/2008
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a service provider from a service consumer, a request to access a service;

checking configuration restrictions associated with the requested service to determine one of various ways to respond to the request, the configuration restrictions including authentication restrictions associated with the requested service;

providing, by the service provider, an immediate response to grant access to the service consumer for the requested service if the configuration restrictions indicates no authentication restrictions and the requested service is authorized by an authorization service;

generating a response to grant access to the service consumer for the requested service if the configuration restrictions indicates there is some level of authentication restrictions associated with the requested service, generating the response further comprising;

sending, from the service provider to an authentication authority, a request to authenticate the requested service and the service consumer; and

receiving, by the service provider from the authentication authority, validation of the requested service, the validation is based on provisioning information representing real time deployment configuration information managed by a secure provisioning system for managing deployment of services such that the requested service is deployed without involving a key deployment step that uses at least one of stored credentials and a password entry, or a combination thereof;

receiving, by the service provider from an authorization service, authorization of the requested service for the service consumer; and

providing, by the service provider to the service consumer, the response to grant access to the service consumer for the requested service in response to the validation and the authorization of the requested service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method for pool-based identity authentication for service access without use of stored credentials is disclosed. The method in an example embodiment includes providing provisioning information for storage in a provisioning repository; receiving a service request from a service consumer, the service request including requestor identifying information; generating an authentication request to send to an authentication authority, the authentication request including requestor identifying information; receiving validation of an authenticated service request from the authentication authority; and providing the requested service to the service consumer.

31 Citations

View as Search Results

16 Claims

1. A method comprising:
- receiving, by a service provider from a service consumer, a request to access a service;
  
  checking configuration restrictions associated with the requested service to determine one of various ways to respond to the request, the configuration restrictions including authentication restrictions associated with the requested service;
  
  providing, by the service provider, an immediate response to grant access to the service consumer for the requested service if the configuration restrictions indicates no authentication restrictions and the requested service is authorized by an authorization service;
  
  generating a response to grant access to the service consumer for the requested service if the configuration restrictions indicates there is some level of authentication restrictions associated with the requested service, generating the response further comprising;
  
  sending, from the service provider to an authentication authority, a request to authenticate the requested service and the service consumer; and
  
  receiving, by the service provider from the authentication authority, validation of the requested service, the validation is based on provisioning information representing real time deployment configuration information managed by a secure provisioning system for managing deployment of services such that the requested service is deployed without involving a key deployment step that uses at least one of stored credentials and a password entry, or a combination thereof;
  
  receiving, by the service provider from an authorization service, authorization of the requested service for the service consumer; and
  
  providing, by the service provider to the service consumer, the response to grant access to the service consumer for the requested service in response to the validation and the authorization of the requested service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein checking configuration restrictions associated with the requested service to determine one of various ways to respond to the request further comprises:
    - determining, by the service provider, the requested service has the configuration restrictions indicating no restrictions or some level of restrictions.
  - 3. The method of claim 2, wherein the validation is based on provisioning information and independently verifiable data.
  - 4. The method of claim 1, wherein the validation of the requested service is determined by matching the requested service and identity of the service consumer provided in the request with the provisioned services specified by the provisioning information.
  - 5. The method of claim 1, wherein receiving, by the service provider from an authorization service, authorization of the requested service for the service consumer further comprises:
    - sending, to the authorization services, an authorization request for the requested service; and
      
      receiving, from the authorization service a grant of the authorization request for the requested service based on access controls previously configured for the service consumer.
  - 6. The method of claim 1, wherein the immediate response represents one of the various ways to respond to the request.
  - 7. The method of claim 1, wherein the response represents one of the various ways to respond to the request.
  - 8. The method as claimed in claim 1, wherein the request to access the service is sent using a protocol compatible with the security assertion markup language (SAML).
  - 9. The method of claim 1, wherein the provisioning information is generated at initial deployment time of a system having a plurality of service providers and a plurality of service consumers, at least one of the plurality of service consumers having provisioning information including a mapping of services accessible to each of the at least one of the service consumers.

10. A system comprising:
- a memory device for storing instructions; and
  
  a processor, which, when executing the instructions, causes the system to perform operations comprising;
  
  receiving, by a service provider from a service consumer, a request to access a service;
  
  checking configuration restrictions associated with the requested service to determine one of various ways to respond to the request, the configuration restrictions including authentication restrictions associated with the requested service;
  
  providing, by the service provider, an immediate response to grant access to the service consumer for the requested service if the configuration restrictions indicates no authentication restrictions and the requested service is authorized by an authorization service;
  
  generating a response to grant access to the service consumer for the requested service if the configuration restrictions indicates there is some level of authentication restrictions associated with the requested service, generating the response further comprising;
  
  sending, from the service provider to an authentication authority, a request to authenticate the requested service and the service consumer; and
  
  receiving, by the service provider from the authentication authority, validation of the requested service, the validation is based on provisioning information representing real time deployment configuration information managed by a secure provisioning system for managing deployment of services such that the requested service is deployed without involving a key deployment step that uses at least one of stored credentials and a password entry, or a combination thereof;
  
  receiving, by the service provider from an authorization service, authorization of the requested service for the service consumer; and
  
  providing, by the service provider to the service consumer, the response to grant access to the service consumer for the requested service in response to the validation and the authorization of the requested service.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the validation is based on provisioning information and independently verifiable data.
  - 12. The system of claim 10, wherein the validation of the requested service is determined by matching the requested service and identity of the service consumer provided in the request with the provisioned services specified by the provisioning information.
  - 13. The system of claim 10, wherein the processor, which, when executing the instructions, further causes the system tosend, to the authorization service, an authorization request for the requested service;
    - andreceiving, from the authorization service of the authorization request for the requested service based on access controls previously configured for the service consumer.
  - 14. The system of claim 10, wherein the immediate response represents one of the various ways to respond to the request and the response represents another one of the various ways to respond to the request.
  - 15. The system of claim 10, wherein the provisioning information is generated at initial deployment time by the secure provisioning system for a plurality of service providers and a plurality of service consumers, at least one of the plurality of service consumers having provisioning information including a mapping of services accessible to each of the at least one of the service consumers.

16. A computer readable non-transitory storage medium storing at least one program configured for execution by a computer, the at least one program comprising instructions to:
- receive, by a service provider from a service consumer, a request to access a service;
  
  checking configuration restrictions associated with the requested service to determine one of various ways to respond to the request, the configuration restrictions including authentication restrictions associated with the requested service;
  
  provide, by the service provider, an immediate response to grant access to the service consumer for the requested service if the configuration restrictions indicates no authentication restrictions and the requested service is authorized by an authorization service;
  
  generate a response to grant access to the service consumer for the requested service the configuration restrictions indicates if there is some level of authentication restrictions associated with the requested service, generating the response further comprising instructions to;
  
  send, from the service provider to an authentication authority, a request to authenticate the requested service and the service consumer; and
  
  receive, by the service provider from the authentication authority, validation of the requested service, the validation is based on provisioning information representing real time deployment configuration information managed by a secure provisioning system for managing deployment of services such that the requested service is deployed without involving a key deployment step that uses at least one of stored credentials and a password entry, or a combination thereof;
  
  receive, by the service provider from an authorization service, authorization of the requested service for the service consumer; and
  
  provide, by the service provider to the service consumer, the response to grant access to the service consumer for the requested service in response to the validation and the authorization of the requested service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
eBay Inc.
Original Assignee
eBay Inc.
Inventors
Kolluru, Raju Venkata, Kleinpeter, Michael Dean
Primary Examiner(s)
REVAK, CHRISTOPHER A

Application Number

US14/290,823
Publication Number

US 20140282980A1
Time in Patent Office

691 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 9/321   involving a third party or ...

System and method for pool-based identity authentication for service access without use of stored credentials

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for pool-based identity authentication for service access without use of stored credentials

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links