Conditional access to services based on device claims

US 9,444,848 B2
Filed: 09/19/2014
Issued: 09/13/2016
Est. Priority Date: 09/19/2014
Status: Active Grant

First Claim

Patent Images

1. In a computing environment, a method of providing access to one or more resources to a user device, the method comprising:

at a user device, registering with an identity service to obtain an identity credential which omits a claim that the user device is a managed device;

the user device sending the identity credential to a service endpoint where it is determined that the identity credential omits the claim that the user device is a managed device;

at the user device, registering with a policy management service by at least presenting the identity credential to the policy management service, the user device registering with the policy management service in response to the user device being redirected to the policy management service from the service endpoint in response to the user device presenting the identity credential to the service endpoint that was determined to omit the claim that the user device is a managed device;

at the user device, receiving a compliance policy listing corresponding to a compliance policy required for managed devices, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the user device for the user device to be compliant with the compliance policy or (b) one or more states of the user device required for compliance;

at the user device, performing at least one of providing a notification to the policy management service that indicates (a) the one or more states of the user device required for compliance or (b) the user device taking a remedial action that includes the one or more changes required for the user device to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service;

at the user device, receiving a token from the identity service that indicates a compliance state of the user device and a claim that the user device is a managed device, the token being based on the identity service receiving the compliance state setting from the policy management service; and

the user device transmitting the token to the service endpoint with the claim that the user device is a managed device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set.

Citations

20 Claims

1. In a computing environment, a method of providing access to one or more resources to a user device, the method comprising:
- at a user device, registering with an identity service to obtain an identity credential which omits a claim that the user device is a managed device;
  
  the user device sending the identity credential to a service endpoint where it is determined that the identity credential omits the claim that the user device is a managed device;
  
  at the user device, registering with a policy management service by at least presenting the identity credential to the policy management service, the user device registering with the policy management service in response to the user device being redirected to the policy management service from the service endpoint in response to the user device presenting the identity credential to the service endpoint that was determined to omit the claim that the user device is a managed device;
  
  at the user device, receiving a compliance policy listing corresponding to a compliance policy required for managed devices, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the user device for the user device to be compliant with the compliance policy or (b) one or more states of the user device required for compliance;
  
  at the user device, performing at least one of providing a notification to the policy management service that indicates (a) the one or more states of the user device required for compliance or (b) the user device taking a remedial action that includes the one or more changes required for the user device to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service;
  
  at the user device, receiving a token from the identity service that indicates a compliance state of the user device and a claim that the user device is a managed device, the token being based on the identity service receiving the compliance state setting from the policy management service; and
  
  the user device transmitting the token to the service endpoint with the claim that the user device is a managed device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprisingproviding a user of the user device information about compliance violations and information on how to remediate the compliance violations.
  - 3. The method of claim 1, wherein the token further includes a level of compliance.
  - 4. The method of claim 1, wherein the compliance policy listing includes a requirement that a password of the user device be of a certain length.
  - 5. The method of claim 1, wherein the compliance policy listing includes a requirement that the user device requires a character pin in use on the user device.
  - 6. The method of claim 1, wherein the policy management service indicates a security level of the user device, the security level indicating at least one of a level of encryption, a strength of a password, or a jail-broken status of the user device.
  - 7. The method of claim 1, wherein the compliance policy listing includes one of a user state, a group state, a role state, an ip address, or a platform state.
  - 8. The method of claim 1, wherein compliance claims allowing access to resources at a service endpoint are issued based on a token issuance policy.
  - 9. The method of claim 1, wherein the token further includes a compliance claim that expires.
  - 10. The method of claim 1, wherein the remedial action includes redirecting the user device to the policy management service where the policy management service then guides a user of the user device to perform actions to place the user device into a compliant state.

11. A computer system, comprising:
- one or more hardware processors; and
  
  one or more computer-readable hardware storage devices having stored thereon computer-executable instructions that are executable by the one or more hardware processors to cause the computer system to provide access to one or more computing resources, and further to cause the computer system to perform the following;
  
  register with an identity service to obtain an identity credential which omits a claim that the computer system is a managed system;
  
  send the identify credential to a service endpoint where it is determined that the identity credential omits the claim that the computer system is a managed system;
  
  register with a policy management service by at least presenting the identity credential to the policy management service, the computer system registering with the policy management service in response to the computer system being redirected to the policy management service from the service endpoint in response to the computer system presenting the identity credential to the service endpoint that was determined to omit the claim that the computer system is a managed system;
  
  receive a compliance policy listing corresponding to a compliance policy required for managed systems, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the computer system for the computer system to be compliant with the compliance policy or (b) one or more states of the computer system required for compliance;
  
  perform at least one of providing a notification to the policy management service that indicates (a) the one or more states of the computer system required for compliance or (b) the computer system taking a remedial action that includes the one or more changes required for the computer system to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service;
  
  receive a token from the identity service that indicates a compliance state of the computer system and a claim that the computer system is a managed system, the token being based on the identity service receiving the compliance state setting from the policy management service; and
  
  transmit the token to the service endpoint with the claim that the computer system is a managed system.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The computer system of claim 11, wherein the computer-executable instructions further cause the computer system to provide a user of the computer system information about compliance violations and information on how to remediate the compliance violations.
  - 13. The computer system of claim 11, wherein the token further includes a level of compliance.
  - 14. The computer system of claim 11, wherein the compliance policy listing includes a requirement that a password of the computer system be of a certain length.
  - 15. The computer system of claim 11, wherein the compliance policy listing includes a requirement that the computer system requires a character pin in use on the computer system.
  - 16. The computer system of claim 11, wherein the policy management service indicates a security level of the computer system, the security level indicating at least one of a level of encryption, a strength of a password, or a jail-broken status of the computer system.
  - 17. The computer system of claim 11, wherein the compliance policy listing includes one of a user state, a group state, a role state, an ip address, or a platform state.
  - 18. The computer system of claim 11, wherein the token further includes a compliance claim that expires.
  - 19. The computer system of claim 11, wherein the remedial action includes redirecting the computer system to the policy management service where the policy management service then guides a user of the computer system to perform actions to place the computer system into a compliant state.

20. One or more hardware storage devices having thereon computer-executable instructions that are executable by one or more hardware processors of a computing system to cause the computing system to provide access to one or more computing resources by at least causing the computing system to perform:
- register with an identity service to obtain an identity credential which omits a claim that the computing system is a managed system;
  
  send the identify credential to a service endpoint where it is determined that the identity credential omits the claim that the computing system is a managed system;
  
  register with a policy management service by at least presenting the identity credential to the policy management service, the computing system registering with the policy management service in response to the computing system being redirected to the policy management service from the service endpoint in response to the computing system presenting the identity credential to the service endpoint that was determined to omit the claim that the computing system is a managed system;
  
  receive a compliance policy listing corresponding to a compliance policy required for managed systems, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the computing system for the computing system to be compliant with the compliance policy or (b) one or more states of the computing system required for compliance;
  
  perform at least one of providing a notification to the policy management service that indicates (a) the one or more states of the computing system required for compliance or (b) the computing system taking a remedial action that includes the one or more changes required for the computing system to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service;
  
  receive a token from the identity service that indicates a compliance state of the computing system and a claim that the computing system is a managed system, the token being based on the identity service receiving the compliance state setting from the policy management service; and
  
  transmit the token to the service endpoint with the claim that the computing system is a managed system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Green, Christopher Samuel, Qureshi, Farhan Haleem, SenGupta, Sucharit, Soy, Nirmal Rajesh, Healy, Michael J.
Primary Examiner(s)
Nalven, Andrew
Assistant Examiner(s)
MALINOWSKI, WALTER J

Application Number

US14/491,819
Publication Number

US 20160088017A1
Time in Patent Office

725 Days
Field of Search

726/1, 726/3, 726/6, 726/9, 709/224
US Class Current

1/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

Conditional access to services based on device claims

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Conditional access to services based on device claims

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links