Conditional access to services based on device claims
First Claim
1. In a computing environment, a method of providing access to one or more resources to a user device, the method comprising:
- at a user device, registering with an identity service to obtain an identity credential which omits a claim that the user device is a managed device;
the user device sending the identity credential to a service endpoint where it is determined that the identity credential omits the claim that the user device is a managed device;
at the user device, registering with a policy management service by at least presenting the identity credential to the policy management service, the user device registering with the policy management service in response to the user device being redirected to the policy management service from the service endpoint in response to the user device presenting the identity credential to the service endpoint that was determined to omit the claim that the user device is a managed device;
at the user device, receiving a compliance policy listing corresponding to a compliance policy required for managed devices, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the user device for the user device to be compliant with the compliance policy or (b) one or more states of the user device required for compliance;
at the user device, performing at least one of providing a notification to the policy management service that indicates (a) the one or more states of the user device required for compliance or (b) the user device taking a remedial action that includes the one or more changes required for the user device to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service;
at the user device, receiving a token from the identity service that indicates a compliance state of the user device and a claim that the user device is a managed device, the token being based on the identity service receiving the compliance state setting from the policy management service; and
the user device transmitting the token to the service endpoint with the claim that the user device is a managed device.
2 Assignments
0 Petitions
Accused Products
Abstract
Providing access to one or more resources to a user device. A method includes at a user device, registering with an identity service to obtain an identity credential. The method further includes at the user device, registering with a policy management service by presenting the identity credential. The method further includes at the user device, providing an indication of current state of the user device to the policy management service. The policy management service can then indicate to the identity service the compliance level of the user device. The method further includes the user device receiving a token from the identity service based on the policy management level of the user device as compared to a policy set.
-
Citations
20 Claims
-
1. In a computing environment, a method of providing access to one or more resources to a user device, the method comprising:
-
at a user device, registering with an identity service to obtain an identity credential which omits a claim that the user device is a managed device; the user device sending the identity credential to a service endpoint where it is determined that the identity credential omits the claim that the user device is a managed device; at the user device, registering with a policy management service by at least presenting the identity credential to the policy management service, the user device registering with the policy management service in response to the user device being redirected to the policy management service from the service endpoint in response to the user device presenting the identity credential to the service endpoint that was determined to omit the claim that the user device is a managed device; at the user device, receiving a compliance policy listing corresponding to a compliance policy required for managed devices, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the user device for the user device to be compliant with the compliance policy or (b) one or more states of the user device required for compliance; at the user device, performing at least one of providing a notification to the policy management service that indicates (a) the one or more states of the user device required for compliance or (b) the user device taking a remedial action that includes the one or more changes required for the user device to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service; at the user device, receiving a token from the identity service that indicates a compliance state of the user device and a claim that the user device is a managed device, the token being based on the identity service receiving the compliance state setting from the policy management service; and the user device transmitting the token to the service endpoint with the claim that the user device is a managed device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computer system, comprising:
-
one or more hardware processors; and one or more computer-readable hardware storage devices having stored thereon computer-executable instructions that are executable by the one or more hardware processors to cause the computer system to provide access to one or more computing resources, and further to cause the computer system to perform the following; register with an identity service to obtain an identity credential which omits a claim that the computer system is a managed system; send the identify credential to a service endpoint where it is determined that the identity credential omits the claim that the computer system is a managed system; register with a policy management service by at least presenting the identity credential to the policy management service, the computer system registering with the policy management service in response to the computer system being redirected to the policy management service from the service endpoint in response to the computer system presenting the identity credential to the service endpoint that was determined to omit the claim that the computer system is a managed system; receive a compliance policy listing corresponding to a compliance policy required for managed systems, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the computer system for the computer system to be compliant with the compliance policy or (b) one or more states of the computer system required for compliance; perform at least one of providing a notification to the policy management service that indicates (a) the one or more states of the computer system required for compliance or (b) the computer system taking a remedial action that includes the one or more changes required for the computer system to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service; receive a token from the identity service that indicates a compliance state of the computer system and a claim that the computer system is a managed system, the token being based on the identity service receiving the compliance state setting from the policy management service; and transmit the token to the service endpoint with the claim that the computer system is a managed system. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. One or more hardware storage devices having thereon computer-executable instructions that are executable by one or more hardware processors of a computing system to cause the computing system to provide access to one or more computing resources by at least causing the computing system to perform:
-
register with an identity service to obtain an identity credential which omits a claim that the computing system is a managed system; send the identify credential to a service endpoint where it is determined that the identity credential omits the claim that the computing system is a managed system; register with a policy management service by at least presenting the identity credential to the policy management service, the computing system registering with the policy management service in response to the computing system being redirected to the policy management service from the service endpoint in response to the computing system presenting the identity credential to the service endpoint that was determined to omit the claim that the computing system is a managed system; receive a compliance policy listing corresponding to a compliance policy required for managed systems, the compliance policy listing identifying one or more items of interest, the one or more items of interest including at least (a) one or more changes to be made at the computing system for the computing system to be compliant with the compliance policy or (b) one or more states of the computing system required for compliance; perform at least one of providing a notification to the policy management service that indicates (a) the one or more states of the computing system required for compliance or (b) the computing system taking a remedial action that includes the one or more changes required for the computing system to be compliant, wherein the notification triggers the transmission of a compliance state setting to the identity service; receive a token from the identity service that indicates a compliance state of the computing system and a claim that the computing system is a managed system, the token being based on the identity service receiving the compliance state setting from the policy management service; and transmit the token to the service endpoint with the claim that the computing system is a managed system.
-
Specification