Discovering and disambiguating identity providers

US 9,544,310 B2
Filed: 01/27/2014
Issued: 01/10/2017
Est. Priority Date: 01/27/2014
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to:

receive a first user identifier;

place one or more Application Programming Interface (API) calls to perform discovery on the first user identifier against a plurality of identity providers to determine whether any of the plurality of identity providers has an identity profile that matches the first user identifier;

based at least on a determination that a single identity provider of the plurality has a user profile that matches the first user identifier, provide redirect instructions for authenticating against the single identity provider;

based at least on a determination that multiple identity providers of the plurality have a user profile that matches the first user identifier, provide instructions for rendering a first disambiguation user interface;

based at least on a determination that disambiguation is unable to be performed, provide instructions for rendering a second disambiguation user interface; and

based at least on a determination that no identity provider of the plurality has a user profile that matches the first user identifier, provide instructions for rendering at least one of an account creation interface and an interface permitting input of a second user identifier.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and computer-readable storage media are provided for discovering and disambiguating identity providers such that user knowledge of appropriate identity providers is minimized. Users are presented with options for selecting appropriate providers only when multiple providers have user profiles matching a user identifier. When users are presented with options for selecting appropriate providers, providers that have user profiles matching the identifier are identified utilizing identity information for the application that utilizes the identity provider for its users rather than information identifying the identity provider itself. Where it is determined that no identity provider has a user profile associated with the user identifier (or where it is determined that a particular identity provider would generally be appropriate to be utilized with the user identifier), the opportunity for users to create an authentication account with one or more identity providers or to retry with a different user identifier is provided.

Citations

33 Claims

1. One or more computer-readable storage media storing computer-useable instructions that, when used by one or more computing devices, cause the one or more computing devices to:
- receive a first user identifier;
  
  place one or more Application Programming Interface (API) calls to perform discovery on the first user identifier against a plurality of identity providers to determine whether any of the plurality of identity providers has an identity profile that matches the first user identifier;
  
  based at least on a determination that a single identity provider of the plurality has a user profile that matches the first user identifier, provide redirect instructions for authenticating against the single identity provider;
  
  based at least on a determination that multiple identity providers of the plurality have a user profile that matches the first user identifier, provide instructions for rendering a first disambiguation user interface;
  
  based at least on a determination that disambiguation is unable to be performed, provide instructions for rendering a second disambiguation user interface; and
  
  based at least on a determination that no identity provider of the plurality has a user profile that matches the first user identifier, provide instructions for rendering at least one of an account creation interface and an interface permitting input of a second user identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The one or more computer readable storage media of claim 1, wherein the first user identifier is one of an email address, a user name, and a telephone number.
  - 3. The one or more computer-readable storage media of claim 1, wherein the one or more computing devices provide instructions for rendering the first disambiguation user interface by providing instructions for rendering identifying information corresponding only to the multiple identity providers of the plurality that are determined to have a user profile that matches the user identifier.
  - 4. The one or more computer-readable storage media of claim 3, wherein the identifying information corresponding to at least one of the multiple identity providers of the plurality that are determined to have a user profile that matches the first user identifier matches information identifying an organizational owner of the first user identifier.
  - 5. The one or more computer-readable storage media of claim 1, wherein the one or more computing devices provide instructions for rendering the first disambiguation user interface by providing instructions for rendering identifying information corresponding to the multiple identity providers of the plurality that are determined to have a user profile that matches the user identifier and identifying information corresponding to at least one identity provider of the plurality that is determined not to have a user profile that matches the user identifier, and wherein the one or more computing devices further provide instructions for rendering the first disambiguation user interface to allow for creating an identity profile with the at least one identity provider that is determined not to have a user profile that matches the user identifier.
  - 6. The one or more computer-readable storage media of claim 1, wherein the one or more computing devices provide instructions for rendering the first disambiguation user interface by providing instructions for rendering the first disambiguation user interface to allow for user selection of one of the multiple identity providers.
  - 7. The one or more computer-readable storage media of claim 6, wherein the one or more computing devices further determine that the user identifier is organizationally owned, and wherein the one or more computing devices provide instructions for rendering the first disambiguation user interface by, at least in part, providing instructions for rendering identifying information for one of the multiple identity providers that includes information associated with the organization owning the user identifier.
  - 8. The one or more computer-readable storage media of claim 1, wherein the one or more computing devices provide instructions for rendering an account creation user interface by providing instructions for rendering the account creation user interface to allow for creating an identity profile with an identity provider of the plurality that is determined to be most appropriate for the user identifier.
  - 9. The one or more computer-readable storage media of claim 1, wherein the one or more computing devices receive a single user identifier by receiving an email address, the email address having a domain, and wherein the one or more computing devices further comprises:
    - determine that a particular identity provider of the plurality of identity providers is configured for the domain; and
      
      provide instructions for rendering identifying information corresponding to the particular identity provider.
  - 10. The one or more computer-readable storage media of claim 1, wherein it is determined that disambiguation is unable to be performed when one or more API calls times out or returns unexpected, invalid, or throttled results.

11. A method being performed by one or more computing devices including at least one processor, comprising:
- receiving a first user identifier;
  
  placing one or more Application Programming Interface (API) calls to perform discovery on the first user identifier against a plurality of identity providers to determine whether any of the plurality of identity providers has authentication information associated with the first user identifier;
  
  based at least on a determination that a single identity provider of the plurality of identity providers has authentication information associated with the first user identifier, redirecting the user for authentication against the single identity provider;
  
  based at least on a determination that multiple identity providers of the plurality of identity providers have authentication information associated with the first user identifier, rendering a first disambiguation user interface;
  
  based at least on a determination that disambiguation is unable to be performed, rendering a second disambiguation user interface; and
  
  based at least on a determination that no identity provider of the plurality of identity providers have authentication information associated with the first user identifier, rendering at least one of an account creation interface and an interface permitting input of a second user identifier.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein rendering the first disambiguation user interface comprises rendering the first disambiguation user interface with identifying information corresponding only to the multiple identity providers of the plurality of identity providers that are determined to have authentication information associated with the first user identifier.
  - 13. The method of claim 12, wherein the identifying information corresponding to at least one of the multiple providers of the plurality of identity providers that are determined to have authentication information associated with the first user identifier includes information identifying an organizational owner of the first user identifier.
  - 14. The method of claim 11, wherein rendering the first disambiguation user interface comprises rendering the first disambiguation user interface to allow for user selection of one of the multiple identity providers.
  - 15. The method of claim 11, further comprising determining that the first user identifier is organizationally owned, and wherein rendering the first disambiguation user interface includes rendering identifying information for one of the multiple identity providers that includes information associated with the organization owning the first user identifier.
  - 16. The method of claim 11, wherein rendering an account creation user interface comprises rendering the account creation user interface to allow for creating an identity profile with an identity provider of the plurality that is determined to be most appropriate for the first user identifier.
  - 17. The method of claim 11, wherein receiving the first user identifier comprises one of prompting for input of the first user identifier and receiving a call from an external application that includes the first user identifier.
  - 18. The method of claim 11, wherein placing one or more API calls to perform discovery on the first user identifier against the plurality of identity providers to determine if any identity providers of the plurality has authentication information associated with the first user identifier comprises:
    - performing multiple API calls in parallel;
      
      receiving a response from each API call performed; and
      
      aggregating the responses received to determine if there are any identity providers of the plurality of identity providers that have a user profile that matches the first user identifier.
  - 19. The method of claim 11, wherein placing one or more API calls to perform discovery on the first user identifier against the plurality of identity providers to determine if any identity providers of the plurality has authentication information associated with the first user identifier comprises:
    - performing a single API call; and
      
      receiving a single response including information aggregated from the plurality of identity providers.
  - 20. The method of claim 11, wherein it is determined that disambiguation is unable to be performed when one or more API calls times out or returns unexpected, invalid, or throttled results.

21. A system comprising:
- a server having one or more processors and one or more computer-readable storage media; and
  
  at least one data store coupled with the server,the server configured to;
  
  receive a request for access to an application or service for which authentication is required;
  
  provide a first user interface that allows for selection from a first plurality of identity providers or identity provider types for authenticating to the application or service, wherein the first user interface further allows for selection of an option for seeking assistance in selecting one of the first plurality of identity providers or identity provider types;
  
  receive a selection of the option for seeking assistance in selecting one of the first plurality of identity providers or identity provider types;
  
  provide a second user interface prompting for input of a single user identifier; and
  
  place one or more Application Programming Interface (API) calls to perform discovery on the user identifier against a second plurality of identity providers to determine if any identity providers of the second plurality have an identity profile that matches the user identifier.
- View Dependent Claims (22, 23)
- - 22. The system of claim 21, wherein:
    - based at least on a determination that a single identity provider of the second plurality of identity providers has authentication information associated with the user identifier, the server is further configured to redirect the user for authentication against the single identity provider;
      
      based at least on the determination that multiple identity providers of the second plurality of identity providers have authentication information associated with the user identifier, the server is further configured to render a first disambiguation user interface;
      
      based at least on a determination that disambiguation is unable to be performed, the server is further configured to render a second disambiguation user interface; and
      
      based at least on a determination that no identity provider of the second plurality of identity providers has authentication information associated with the user identifier, the server is further configured to render at least one of an account creation interface and an interface permitting input of a different user identifier.
  - 23. The system of claim 21, wherein the server is further configured to determine that disambiguation is unable to be performed when one or more API calls times out or returns unexpected, invalid, or throttled results.

24. A system comprising:
- a server having one or more processors and one or more computer-readable storage media; and
  
  at least one data store coupled with the server,wherein the server;
  
  receives a first user identifier;
  
  places one or more Application Programming Interface (API) calls to perform discovery on the first user identifier against a plurality of identity providers to determine whether any of the plurality of identity providers has an identity profile that matches the first user identifier;
  
  based at least on a determination that a single identity provider of the plurality has a user profile that matches the first user identifier, provides redirect instructions for authenticating against the single identity provider;
  
  based at least on a determination that multiple identity providers of the plurality have a user profile that matches the first user identifier, provides instructions for rendering a first disambiguation user interface;
  
  based at least on a determination that disambiguation is unable to be performed, provides instructions for rendering a second disambiguation user interface; and
  
  based at least on a determination that no identity provider of the plurality has a user profile that matches the first user identifier, provides instructions for rendering at least one of an account creation interface and an interface permitting input of a second user identifier.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 25. The system of claim 24, wherein the first user identifier is one of an email address, a user name, and a telephone number.
  - 26. The system of claim 24, wherein the server provides instructions for rendering the first disambiguation user interface by providing instructions for rendering identifying information corresponding only to the multiple identity providers of the plurality that are determined to have a user profile that matches the user identifier.
  - 27. The system of claim 26, wherein the identifying information corresponding to at least one of the multiple identity providers of the plurality that are determined to have a user profile that matches the first user identifier matches information identifying an organizational owner of the first user identifier.
  - 28. The system of claim 24, wherein the server provides instructions for rendering the first disambiguation user interface by providing instructions for rendering identifying information corresponding to the multiple identity providers of the plurality that are determined to have a user profile that matches the user identifier and identifying information corresponding to at least one identity provider of the plurality that is determined not to have a user profile that matches the user identifier, and wherein the server further provides instructions for rendering the first disambiguation user interface to allow for creating an identity profile with the at least one identity provider that is determined not to have a user profile that matches the user identifier.
  - 29. The system of claim 24, wherein the one or more computing devices provide instructions for rendering the first disambiguation user interface by providing instructions for rendering the first disambiguation user interface to allow for user selection of one of the multiple identity providers.
  - 30. The system of claim 29, wherein the server further determines that the user identifier is organizationally owned, and wherein the server provides instructions for rendering the first disambiguation user interface by, at least in part, providing instructions for rendering identifying information for one of the multiple identity providers that includes information associated with the organization owning the user identifier.
  - 31. The system of claim 24, wherein the server provides instructions for rendering an account creation user interface by providing instructions for rendering the account creation user interface to allow for creating an identity profile with an identity provider of the plurality that is determined to be most appropriate for the user identifier.
  - 32. The system of claim 24, wherein the server receives a single user identifier by receiving an email address, the email address having a domain, and wherein the server further comprises:
    - determines that a particular identity provider of the plurality of identity providers is configured for the domain; and
      
      provides instructions for rendering identifying information corresponding to the particular identity provider.
  - 33. The system of claim 24, wherein the server determines that disambiguation is unable to be performed when one or more API calls times out or returns unexpected, invalid, or throttled results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gordon, Ariel, Williams, Sam Franklin III, Thomas, William Louis, Van Waardhuizen, Michael Robert, Brenner, Jonathan Yoder, Caldwell, Tia Bianca, Doerr, Eric Wayne, Nathanson, Amy Caryl, Subramaniam, Sarat Chandra
Primary Examiner(s)
Dinh, Minh

Application Number

US14/164,990
Publication Number

US 20150215315A1
Time in Patent Office

1,079 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/31   User authentication

G06F 21/45   Structures or tools for the...

H04L 63/0884   by delegation of authentica...

Discovering and disambiguating identity providers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Discovering and disambiguating identity providers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links