Secure identity federation for non-federated systems

US 9,800,586 B2
Filed: 09/16/2016
Issued: 10/24/2017
Est. Priority Date: 10/01/2004
Status: Active Grant

First Claim

Patent Images

1. A method of providing a unified access to systems, the method including:

storing a plurality of sets of user credentials for a plurality of remote computer applications in a central repository accessible via an interoperability network, wherein the plurality of remote computer applications include non-federated entities that do not share a common identity verification protocol;

receiving an interoperability network credential that authorizes a user to use the plurality of remote computer applications and access the stored plurality of sets of the user credentials;

verifying that an intermediary service coupled to the interoperability network, upon receiving a request to perform, on behalf of the user, a particular task that requires access to and task performance by a particular remote computer application from the plurality of remote computer applications, has authorization to act on behalf of the user in obtaining authorized access to and task performance by the particular remote computer application; and

upon verification of authorization, automatically supplying the intermediary service with particular user credentials for the particular remote computer application from the central repository.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus, including computer program products, implementing and using techniques for providing user credentials over a network to a remote computer application. User credentials for the remote computer application are stored in a central repository that is accessible through the network. A request is sent to a service to perform, on behalf of a user, a particular task involving the remote computer application. It is determined whether the service has been granted permission to act on behalf of the user with respect to the remote computer application. When the service has permission to act on behalf of the user, the service is used to retrieve the user'"'"'s credentials for the remote computer application from the central repository and to supply the retrieved user credentials to the remote computer application.

295 Citations

20 Claims

1. A method of providing a unified access to systems, the method including:
- storing a plurality of sets of user credentials for a plurality of remote computer applications in a central repository accessible via an interoperability network, wherein the plurality of remote computer applications include non-federated entities that do not share a common identity verification protocol;
  
  receiving an interoperability network credential that authorizes a user to use the plurality of remote computer applications and access the stored plurality of sets of the user credentials;
  
  verifying that an intermediary service coupled to the interoperability network, upon receiving a request to perform, on behalf of the user, a particular task that requires access to and task performance by a particular remote computer application from the plurality of remote computer applications, has authorization to act on behalf of the user in obtaining authorized access to and task performance by the particular remote computer application; and
  
  upon verification of authorization, automatically supplying the intermediary service with particular user credentials for the particular remote computer application from the central repository.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further including for a plurality of intermediary services coupled to the interoperability network, receiving a selection specifying at least one intermediary service to act on behalf of the user by accessing user'"'"'s credentials.
  - 3. The method of claim 1, further including receiving instructions specifying a degree of authorization of the intermediary service.
  - 4. The method of claim 1, wherein the particular remote computer application is an on-demand service.
  - 5. The method of claim 1, wherein the intermediary service is an on-demand service.
  - 6. The method of claim 1, wherein verifying that the intermediary service has authorization includes checking a policy to determine conditions that the user has set for the intermediary service to act on behalf of the user.
  - 7. The method of claim 1, further including retrieving user credentials for the particular remote computer application and applying an enrichment prior to automatically providing the particular user credentials to the particular remote computer application.
  - 8. The method of claim 7, wherein the enrichment includes at least one of a digital signature and a tariff calculator for a purchase order.
  - 9. The method of claim 1, further including sending a notification to the user when the intermediary service accesses user credentials of the user.
  - 10. The method of claim 9, wherein the notification identifies at least one of:
    - the intermediary service;
      
      the particular remote computer application for which the user credentials were accessed;
      
      a user account associated with the user credentials; and
      
      an outcome of the intermediary service accessing user credentials of the user.
  - 11. The method of claim 9, further including, in response to sending the notification, receiving instructions from the user for at least one of:
    - revoking authorization of the intermediary service to act on behalf of the user; and
      
      modifying authorization of the intermediary service to act on behalf of the user.

12. A system of providing a unified access to systems, the system including:
- one or more processors coupled to memory storing computer instructions that, when executed on the processors, implement actions including;
  
  storing a plurality of sets of user credentials for a plurality of remote computer applications in a central repository accessible via an interoperability network, wherein the plurality of remote computer applications include non-federated entities that do not share a common identity verification protocol;
  
  receiving an interoperability network credential that authorizes a user to use the plurality of remote computer applications and access the stored plurality of sets of the user credentials;
  
  verifying that an intermediary service coupled to the interoperability network, upon receiving a request to perform, on behalf of the user, a particular task that requires access to and task performance by a particular remote computer application from the plurality of remote computer applications, has authorization to act on behalf of the user in obtaining authorized access to and task performance by the particular remote computer application; and
  
  upon verification of authorization, automatically supplying the intermediary service with particular user credentials for the particular remote computer application from the central repository.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, further configured to receive, for a plurality of intermediary services coupled to the interoperability network, a selection specifying at least one intermediary service to act on behalf of the user by accessing user'"'"'s credentials.
  - 14. The system of claim 12, further configured to receive instructions specifying a degree of authorization of the intermediary service.
  - 15. The system of claim 12, wherein the particular remote computer application is an on-demand service.
  - 16. The system of claim 12, wherein the intermediary service is an on-demand service.
  - 17. The system of claim 12, wherein verifying that the intermediary service has authorization includes checking a policy to determine conditions that the user has set for the intermediary service to act on behalf of the user.
  - 18. The system of claim 12, further including retrieving user credentials for the particular remote computer application and applying an enrichment prior to automatically providing the particular user credentials to the particular remote computer application.
  - 19. The system of claim 18, wherein the enrichment includes at least one of a digital signature and a tariff calculator for a purchase order.

20. A non-transitory computer readable medium storing a plurality of instructions for programming one or more processors to provide a unified access to systems, the instructions, when executed on the processors, implementing actions including:
- storing a plurality of sets of user credentials for a plurality of remote computer applications in a central repository accessible via an interoperability network, wherein the plurality of remote computer applications include non-federated entities that do not share a common identity verification protocol;
  
  receiving an interoperability network credential that authorizes a user to use the plurality of remote computer applications and access the stored plurality of sets of the user credentials;
  
  verifying that an intermediary service coupled to the interoperability network, upon receiving a request to perform, on behalf of the user, a particular task that requires access to and task performance by a particular remote computer application from the plurality of remote computer applications, has authorization to act on behalf of the user in obtaining authorized access to and task performance by the particular remote computer application; and
  
  upon verification of authorization, automatically supplying the intermediary service with particular user credentials for the particular remote computer application from the central repository.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Salesforce.com, Inc.
Original Assignee
Salesforce.com, Inc.
Inventors
Boulos, Thomas Nabiel, Behera, Prasanta Kumar
Primary Examiner(s)
McNally, Michael S

Application Number

US15/268,287
Publication Number

US 20170006041A1
Time in Patent Office

403 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 21/30   Authentication, i.e. establ...

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/08   for authentication of entit...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/02   based on web technology, e....

H04L 67/306   User profiles

H04L 69/329   in the application layer [O...

Secure identity federation for non-federated systems

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

295 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure identity federation for non-federated systems

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

295 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links