Remote access of digital identities

US 9,521,131 B2
Filed: 02/10/2014
Issued: 12/13/2016
Est. Priority Date: 01/26/2007
Status: Active Grant

First Claim

Patent Images

1. A method of using a digital identity representation, comprising:

sending, from a second device, a request to a relying party for authentication requirements of the relying party;

sending to a first device a request from the second device to obtain the digital identity representation based on the authentication requirements of the relying party;

receiving at the second device the digital identity representation, the digital identity representation including metadata describing at least a first claim about a principal;

sending from the second device a request to use the digital identity representation;

receiving at the second device permission to use the digital identity representation;

using the digital identity representation to request an identity token;

receiving the identity token; and

providing the identity token to the relying party.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for controlling distribution and use of digital identity representations (“DIRs”) increases security, usability, and oversight of DIR use. A DIR stored on a first device may be obtained by a second device for use in satisfying the security policy of a relying party. Release of the DIR to the second device requires permission from a device or entity that may be different from the device or entity attempting to access the relying party. Further, the use of the DIR to obtain an identity token may separately require permission of even a different person or entity and may be conditioned upon receiving satisfactory information relating to the intended use of the DIR (e.g., the name of the relying party, type of operation being attempted, etc.). By controlling the distribution and use of DIRs, security of the principal'"'"'s identity and supervisory control over a principal'"'"'s activities are enhanced.

Citations

20 Claims

1. A method of using a digital identity representation, comprising:
- sending, from a second device, a request to a relying party for authentication requirements of the relying party;
  
  sending to a first device a request from the second device to obtain the digital identity representation based on the authentication requirements of the relying party;
  
  receiving at the second device the digital identity representation, the digital identity representation including metadata describing at least a first claim about a principal;
  
  sending from the second device a request to use the digital identity representation;
  
  receiving at the second device permission to use the digital identity representation;
  
  using the digital identity representation to request an identity token;
  
  receiving the identity token; and
  
  providing the identity token to the relying party.
- View Dependent Claims (2, 3, 4, 18, 19, 20)
- - 2. The method of claim 1, wherein the request to use the digital identity representation is sent to a third device that is different from the first and second devices.
  - 3. The method of claim 1, wherein the request to use the digital identity representation is sent to a device that is controlled by a person other than the principal.
  - 4. The method of claim 1, wherein the request to use the digital identity information includes information identifying the relying party.
  - 18. The method of claim 1, wherein the digital identity representation is sent to an identity provider, and the identity provider requests and receives permission to use the digital identity representation prior to providing the identity token.
  - 19. The system of claim 1, wherein the digital identity representation is programmed to signal to an identity provider receiving the digital identity representation that permission to use the digital identity representation must be obtained from a particular device before the identity provider is permitted to provide the requesting device with an identity token.
  - 20. The system of claim 1, wherein the digital identity representation is programmed to signal to an identity provider receiving the digital identity representation that permission to use the digital identity representation must be obtained from a particular person before the identity provider is permitted to provide the requesting device with an identity token.

5. A system for using a digital identity representation, comprising:
- at least one processor;
  
  memory, operatively connected to the at least one processor and including instructions that, when executed by the at least one processor, cause the at least one processor to;
  
  send, from a second device, a request to a relying party for authentication requirements of the relying party;
  
  send to a first device a request from the second device to obtain the digital identity representation based on the authentication requirements of the relying party;
  
  receive at the second device the digital identity representation, wherein the digital identity representation includes metadata describing at least a first claim about a principal;
  
  send from the second device a request to use the digital identity representation;
  
  receive at the second device permission to use the digital identity representation;
  
  use the digital identity representation to request an identity token;
  
  receive the identity token; and
  
  provide the identity token to the relying party.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 6. The system of claim 5, wherein the request to use the digital identity representation is sent to a third device that is different from the first and second devices.
  - 7. The system of claim 5, wherein the request to use the digital identity representation is sent to a device that is controlled by a person other than the principal.
  - 8. The system of claim 5, wherein the request to use the digital identity information includes information identifying the relying party.
  - 9. The system of claim 5, wherein the digital identity representation is programmed to signal to an identity provider receiving the digital identity representation that permission to use the digital identity representation must be obtained from a particular person before the identity provider is permitted to provide the requesting device with an identity token.
  - 10. The system of claim 5, wherein the digital identity representation is programmed to signal to an identity provider receiving the digital identity representation that permission to use the digital identity representation must be obtained from a particular device before the identity provider is permitted to provide the requesting device with an identity token.
  - 11. The system of claim 5, wherein the request for permission to use the digital identity representation requires an indication of acceptance from a person controlling the device to which the request for permission is sent.
  - 12. The system of claim 5, wherein permission to use the digital identity representation is contingent upon providing information regarding the intended use of the digital identity representation.
  - 13. The system of claim 12, wherein the information regarding the intended use of the digital identity representation comprises the name of the relying party.
  - 14. The system of claim 5, wherein permission to use the digital identity representation is received before the digital identity representation is sent to an identity provider.
  - 15. The system of claim 5, wherein the digital identity representation is sent to an identity provider, and the identity provider requests and receives permission to use the digital identity representation prior to providing the identity token.
  - 16. The system of claim 5, wherein receiving the identity token comprises receiving a pointer to the identity token that the relying party can use to obtain the identity token from another device.
  - 17. The system of claim 5, wherein the request to obtain and use the digital identity representation are made simultaneously to a single device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Shewchuk, John, Cameron, Kim, Nanda, Arun, Xie, Xiao
Primary Examiner(s)
DADA, BEEMNET W

Application Number

US14/176,782
Publication Number

US 20140215577A1
Time in Patent Office

1,037 Days
Field of Search

726 2- 7, 726/9, 713/170, 713/173, 713/178
US Class Current

1/1
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0853   using an additional device,...

Remote access of digital identities

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Remote access of digital identities

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links