Secure configuration catalog of trusted identity providers

US 9,690,920 B2
Filed: 08/30/2012
Issued: 06/27/2017
Est. Priority Date: 08/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method for enabling access to a protected resource by a client, comprising:

in association with a service provider, storing a private catalog of information about one or more identity providers that are trusted by a service provider, the private catalog of information comprising, for each identity provider, a trust document that comprises private configuration data describing how the service provider uses the identity provider, a specification of one or more websites serviced by the identity provider, and one or more cryptographic artifacts used by the identity provider for cryptographic operations, wherein the identity provider cryptographic artifact is a digital certificate associated with the identity provider, the private configuration data being inaccessible by the client while being stored, the service provider executing on a data processing machine having a hardware element;

responsive to receipt of a request to access the protected resource by the client, the service provider using the private configuration data to redirect the client to an identity provider;

while the request to access the protected resource by the client remains pending, the service provider receiving identity information representing a user that has authenticated to the identity provider to which the client was redirected based on the private configuration data;

while the request to access the protected resource by the client remains pending, the service provider determining whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf by evaluating the private configuration data in the trust document, wherein evaluating the private configuration data includes determining, based on the specification, whether a website associated with the service provider is authorized to use the identity provider to authenticate users, and determining, based on the one or more cryptographic artifacts, whether a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid for use by the service provider to cryptographically verify the identity information representing the user; and

if the identity provider is trusted based on the determining operations, and as a response to the request to access, permitting the client to access the protected resource.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure database includes a catalog of information about one or more identity providers (IdPs) that are trusted by a service provider (SP) to authenticate users on the SP'"'"'s behalf. The catalog securely stores one or more IdP configurations. An entry in the database stores information associated with the trusted IdP including artifacts to identify the IdP, artifacts used by the IdP for cryptographic operations, and a specification of one or more website(s) serviced by the trusted identity provider. Upon receipt by the SP of identity information representing a user that has authenticated to an IdP, information in the catalog of information is used to determine whether the IdP is trusted to authenticate the user on the service provider'"'"'s behalf. The determination verifies that the SP uses the IdP and that a binding between an IdP identifier and at least one IdP cryptographic artifact is valid.

16 Citations

View as Search Results

18 Claims

1. A method for enabling access to a protected resource by a client, comprising:
- in association with a service provider, storing a private catalog of information about one or more identity providers that are trusted by a service provider, the private catalog of information comprising, for each identity provider, a trust document that comprises private configuration data describing how the service provider uses the identity provider, a specification of one or more websites serviced by the identity provider, and one or more cryptographic artifacts used by the identity provider for cryptographic operations, wherein the identity provider cryptographic artifact is a digital certificate associated with the identity provider, the private configuration data being inaccessible by the client while being stored, the service provider executing on a data processing machine having a hardware element;
  
  responsive to receipt of a request to access the protected resource by the client, the service provider using the private configuration data to redirect the client to an identity provider;
  
  while the request to access the protected resource by the client remains pending, the service provider receiving identity information representing a user that has authenticated to the identity provider to which the client was redirected based on the private configuration data;
  
  while the request to access the protected resource by the client remains pending, the service provider determining whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf by evaluating the private configuration data in the trust document, wherein evaluating the private configuration data includes determining, based on the specification, whether a website associated with the service provider is authorized to use the identity provider to authenticate users, and determining, based on the one or more cryptographic artifacts, whether a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid for use by the service provider to cryptographically verify the identity information representing the user; and
  
  if the identity provider is trusted based on the determining operations, and as a response to the request to access, permitting the client to access the protected resource.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method as described in claim 1 wherein the identity information is a SAML assertion.
  - 3. The method as described in claim 1 further including restricting write access to the private catalog of information.
  - 4. The method as described in claim 1 wherein the private catalog of information comprises a discrete and secure configuration trust document associated with each identity provider.
  - 5. The method as described in claim 1 wherein the method further comprises:
    - receiving the request from the client to access the protected resource;
      
      using information in the private catalog of information to locate a configuration that corresponds to a website associated with the protected resource; and
      
      redirecting to the website to enable the user to be authenticated at the identity provider.
  - 6. The method as described in claim 1 wherein the trust document for a given identity provider also includes an identity of one or more websites that are authorized to use the identity provider.

7. Apparatus, comprising:
- a processor;
  
  computer memory holding computer program instructions that when executed by the processor perform a method for enabling access to a protected resource by a client, the method comprising;
  
  in association with a service provider, storing a private catalog of information about one or more identity providers that are trusted by a service provider, the private catalog of information comprising, for each identity provider, a trust document that comprises private configuration data describing how the service provider uses the identity provider, a specification of one or more websites serviced by the identity provider, and one or more cryptographic artifacts used by the identity provider for cryptographic operations, wherein the identity provider cryptographic artifact is a digital certificate associated with the identity provider, the private configuration data being inaccessible by the client while being stored, the service provider executing on a data processing machine having a hardware element;
  
  responsive to receipt of a request to access the protected resource by the client, the service provider using the private configuration data to redirect the client to an identity provider;
  
  while the request to access the protected resource by the client remains pending, the service provider receiving identity information representing a user that has authenticated to the identity provider to which the client was redirected based on the private configuration data;
  
  while the request to access the protected resource by the client remains pending, the service provider determining whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf by evaluating the private configuration data in the trust document, wherein evaluating the private configuration data includes determining, based on the specification, whether a website associated with the service provider is authorized to use the identity provider to authenticate users, and determining, based on the one or more cryptographic artifacts, whether a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid for use by the service provider to cryptographically verify the identity information representing the user; and
  
  if the identity provider is trusted based on the determining operations, and as a response to the request to access, permitting the client to access the protected resource.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus as described in claim 7 wherein the identity information is a SAML assertion.
  - 9. The apparatus as described in claim 7 wherein the method further includes restricting write access to the private catalog of information.
  - 10. The apparatus as described in claim 7 wherein the private catalog of information comprises a discrete and secure configuration trust document associated with each identity provider.
  - 11. The apparatus as described in claim 7 wherein the method further comprises:
    - receiving the request from the client to access the protected resource;
      
      using information in the private catalog of information to locate a configuration that corresponds to a website associated with the protected resource; and
      
      redirecting to the website to enable the user to be authenticated at the identity provider.
  - 12. The apparatus as described in claim 7 wherein the trust document for a given identity provider also includes an identity of one or more websites that are authorized to use the identity provider.

13. A computer program product in a non-transitory computer readable medium for use in a data processing system for providing identity provider services using an identity provider instance discovery service, the computer program product holding computer program instructions which, when executed by the data processing system, perform a method for enabling access to a protected resource by a client, the method comprising:
- in association with a service provider, storing a private catalog of information about one or more identity providers that are trusted by a service provider, the private catalog of information comprising, for each identity provider, a trust document that comprises private configuration data describing how the service provider uses the identity provider, a specification of one or more websites serviced by the identity provider, and one or more cryptographic artifacts used by the identity provider for cryptographic operations, wherein the identity provider cryptographic artifact is a digital certificate associated with the identity provider, the private configuration data being inaccessible by the client while being stored, the service provider executing on a data processing machine having a hardware element;
  
  responsive to receipt of a request to access the protected resource by the client, the service provider using the private configuration data to redirect the client to an identity provider;
  
  while the request to access the protected resource by the client remains pending, the service provider receiving identity information representing a user that has authenticated to the identity provider to which the client was redirected based on the private configuration data;
  
  while the request to access the protected resource by the client remains pending, the service provider determining whether the identity provider is trusted to authenticate the user on the service provider'"'"'s behalf by evaluating the private configuration data in the trust document, wherein evaluating the private configuration data includes determining, based on the specification, whether a website associated with the service provider is authorized to use the identity provider to authenticate users, and determining, based on the one or more cryptographic artifacts, whether a binding between an identity provider identifier and at least one identity provider cryptographic artifact is valid for use by the service provider to cryptographically verify the identity information representing the user; and
  
  if the identity provider is trusted based on the determining operations, and as a response to the request to access, permitting the client to access the protected resource.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The computer program product as described in claim 13 wherein the identity information is a SAML assertion.
  - 15. The computer program product as described in claim 13 wherein the method further includes restricting write access to the private catalog of information.
  - 16. The computer program product as described in claim 13 wherein the private catalog of information comprises a discrete and secure configuration trust document associated with each identity provider.
  - 17. The computer program product as described in claim 13 wherein the method further comprises:
    - receiving the request from the client to access the protected resource;
      
      using information in the private catalog of information to locate a configuration that corresponds to a website associated with the protected resource; and
      
      redirecting to the website to enable the user to be authenticated at the identity provider.
  - 18. The computer program product as described in claim 13 wherein the trust document for a given identity provider also includes an identity of one or more websites that are authorized to use the identity provider.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Green Market Square Limited
Original Assignee
International Business Machines Corporation
Inventors
Mancuso, Patrick Charles, Paganetti, Robert John, Marcus, Jane B., Kern, Jr., David Scott, Kerrigan, Michael J., Eldridge, Alan D.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
Doan, Huan V

Application Number

US13/599,348
Publication Number

US 20140068743A1
Time in Patent Office

1,762 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/33   using certificates

H04L 63/0815   providing single-sign-on or...

H04L 63/0884   by delegation of authentica...

Secure configuration catalog of trusted identity providers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Secure configuration catalog of trusted identity providers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others