Revoking sessions using signaling

US 9,537,851 B2
Filed: 08/06/2014
Issued: 01/03/2017
Est. Priority Date: 08/06/2014
Status: Active Grant

First Claim

Patent Images

1. At a computer system including at least one processor, a computer-implemented method for revoking user sessions using signaling, the method comprising:

an act of receiving, at an identity platform, an indication indicating that a user'"'"'s login account has been compromised, the user'"'"'s login account having an associated login session and corresponding session artifact that is valid for a specified amount of time, wherein the specified amount of time for the session artifact indicates that the session should remain valid beyond a time in which the indication was received;

an act of generating a signal indicating that the login session is no longer trusted, irrespective of the specified amount of time for the session artifact indicating that the session should still remain valid, and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact; and

an act of using a synchronization signal that is part of an existing synchronization contract to provide the generated signal to one or more relying parties including at least one relying party that is hosting the login session for the user, by utilizing and piggybacking one or more synchronization messages that are already being transmitted according to a predetermined schedule based on the synchronization contract.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user'"'"'s login account has been compromised, where the user'"'"'s login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

21 Citations

View as Search Results

15 Claims

1. At a computer system including at least one processor, a computer-implemented method for revoking user sessions using signaling, the method comprising:
- an act of receiving, at an identity platform, an indication indicating that a user'"'"'s login account has been compromised, the user'"'"'s login account having an associated login session and corresponding session artifact that is valid for a specified amount of time, wherein the specified amount of time for the session artifact indicates that the session should remain valid beyond a time in which the indication was received;
  
  an act of generating a signal indicating that the login session is no longer trusted, irrespective of the specified amount of time for the session artifact indicating that the session should still remain valid, and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact; and
  
  an act of using a synchronization signal that is part of an existing synchronization contract to provide the generated signal to one or more relying parties including at least one relying party that is hosting the login session for the user, by utilizing and piggybacking one or more synchronization messages that are already being transmitted according to a predetermined schedule based on the synchronization contract.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the indication indicating that the user'"'"'s login account has been compromised is generated upon detecting, through heuristics, that a user'"'"'s account has been compromised or upon determining that login credentials associated with the user have changed.
  - 3. The method of claim 1, wherein the indication indicating that the user'"'"'s login account has been compromised is generated upon receiving input from an administrator indicating that the user'"'"'s login account has been compromised.
  - 4. The method of claim 3, wherein the indication indicating that the user'"'"'s login account has been compromised is generated further upon detecting a change in a user password.
  - 5. The method of claim 4, wherein the method further includes notifying all devices that rely on the user password for one or more associated sessions that the one or more associated sessions should be revoked.
  - 6. The method of claim 1, wherein the indication indicating that the user'"'"'s login account has been compromised is generated upon determining that an application serviced by the identity platform has removed one or more of its cookie files.
  - 7. The method of claim 1, wherein the generated signal is provided to the one or more relying parties using push messaging or pull messaging.
  - 8. The method of claim 1, wherein the generated signal invalidates the user'"'"'s login session across a plurality of services or devices.
  - 9. The method of claim 1, wherein the generated signal is relayed from an on-premises platform to a cloud identity platform using push messaging or pull messaging.
  - 10. The method of claim 1, wherein the identity platform receives a revocation signal and revokes the user'"'"'s associated login session across one or more applications or devices.
  - 11. The method of claim 1, wherein at least one of the relying parties comprises a software application that communicates with the identity platform for user session information.
  - 12. The method of claim 1, wherein the specified amount of time includes multiple days.

13. A computer system comprising the following:
- one or more processors;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computing system to perform a method for revoking user sessions using signaling, the method comprising the following;
  
  an act of receiving, at an identity platform, an indication indicating that a user'"'"'s login account has been compromised, the user'"'"'s login account having an associated login session and corresponding session artifact that is valid for a specified amount of time, wherein the specified amount of time for the session artifact indicates that the session should remain valid beyond a time in which the indication was received;
  
  an act of generating a signal indicating that the login session is no longer trusted, irrespective of the specified amount of time for the session artifact indicating that the session should still remain valid, and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact; and
  
  an act of using a synchronization signal that is part of an existing synchronization contract to provide the generated signal to one or more relying parties including at least one relying party that is hosting the login session for the user, by utilizing and piggybacking one or more synchronization messages that are already being transmitted according to a predetermined schedule based on the synchronization contract.
- View Dependent Claims (14, 15)
- - 14. The computer system of claim 13, wherein the identity platform invalidates the session artifact associated with the login session, and wherein the existing synchronization contract notifies the relying parties using synchronization messages.
  - 15. The computer system of claim 13, wherein the user'"'"'s login session is revoked based on a determination of the user'"'"'s state information in a session management application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gordon, Ariel, Devasahayam, Samuel, Zhao, Lu, Rouskov, Yordan, Arewar, Parmeshwar, Gopalakrishnan, Venkatesh, Subramaniam, Sarat Chandra, Miron, Titus Constantin
Primary Examiner(s)
ZAIDI, SYED A

Application Number

US14/452,726
Publication Number

US 20160044011A1
Time in Patent Office

881 Days
Field of Search

726/4, 726/6
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 69/28   Timers or timing mechanisms...

Revoking sessions using signaling

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

21 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Revoking sessions using signaling

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

21 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links