Revoking sessions using signaling

US 9,843,577 B2
Filed: 11/30/2016
Issued: 12/12/2017
Est. Priority Date: 08/06/2014
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for signaling to one or more entities that a session previously initiated by a user is to be revoked, the method comprising acts of:

receiving an indication that one or more credentials associated with a user account have been changed, the user account having at least one associated session previously initiated for the user account;

determining that a session token associated with the previously initiated session was issued before the received indication of the one or more changed credentials for the user account; and

based on the determination, signaling to an identity platform that the associated session previously initiated is to be revoked, wherein signaling to the identity platform that the previously initiated session is to be revoked comprises synchronizing a password timestamp with the identity platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed to revoking user sessions using signaling. In one scenario, an identity platform operating on a computer system receives an indication indicating that a user'"'"'s login account has been compromised, where the user'"'"'s login account has an associated login session and corresponding session artifact that is valid for a specified amount of time. The identity platform generates a signal indicating that the login session is no longer trusted and that the user is to be re-directed to the identity platform to re-authenticate and renew the session artifact and provides the generated signal to various relying parties including at least one relying party that is hosting the login session for the user.

14 Citations

17 Claims

1. A computer-implemented method for signaling to one or more entities that a session previously initiated by a user is to be revoked, the method comprising acts of:
- receiving an indication that one or more credentials associated with a user account have been changed, the user account having at least one associated session previously initiated for the user account;
  
  determining that a session token associated with the previously initiated session was issued before the received indication of the one or more changed credentials for the user account; and
  
  based on the determination, signaling to an identity platform that the associated session previously initiated is to be revoked, wherein signaling to the identity platform that the previously initiated session is to be revoked comprises synchronizing a password timestamp with the identity platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computer-implemented method of claim 1, wherein the password timestamp indicates the last time a user has changed their password.
  - 3. The computer-implemented method of claim 1, wherein the indication that one or more credentials associated with a user account have been changed is received from a user that has selected an option to revoke the associated session previously initiated.
  - 4. The computer-implemented method of claim 1, wherein the indication that one or more credentials associated with a user account have been changed is received from an administrator who has indicated that the previously initiated session is to be revoked.
  - 5. The computer-implemented method of claim 1, wherein the ability to signal to an identity platform that a previously initiated session is to be revoked is integrated into tools or workflows of a developer using an application programming interface (API).
  - 6. The computer-implemented method of claim 1, further comprising indicating that the user account is to be re-authenticated using an authentication means that is different than that used to authenticate the revoked session that was previously initiated.
  - 7. The computer-implemented method of claim 1, wherein the indication that one or more credentials associated with a user account have been changed comprises a signal indicating that credentials of a user of the account are no longer valid.

8. A computer system comprising:
- one or more processors;
  
  one or more computer-readable storage media having stored thereon computer-executable instructions that, when executed by the one or more processors, cause the computing system to perform a method for revoking user sessions using signaling, wherein the method comprises acts of;
  
  receiving an indication that one or more credentials associated with a user account have been changed, the user account having at least one associated session previously initiated for the user account;
  
  determining that a session token associated with the previously initiated session was issued before the received indication of the one or more changed credentials for the user account; and
  
  based on the determination, signaling to an identity platform that the associated session previously initiated is to be revoked, wherein signaling to the identity platform that the previously initiated session is to be revoked comprises synchronizing a password timestamp with the identity platform.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the password timestamp indicates the last time a user has changed their password.
  - 10. The computer system of claim 8, wherein the indication that one or more credentials associated with a user account have been changed is received from a user that has selected an option to revoke the associated session previously initiated.
  - 11. The computer system of claim 8, wherein the indication that one or more credentials associated with a user account have been changed is received from an administrator who has indicated that the previously initiated session is to be revoked.
  - 12. The computer system of claim 8, wherein the ability to signal to an identity platform that a previously initiated session is to be revoked is integrated into tools or workflows of a developer using an application programming interface (API).
  - 13. The computer system of claim 8, further comprising indicating that the user account is to be re-authenticated using an authentication means that is different than that used to authenticate the revoked session that was previously initiated.
  - 14. The computer system of claim 8, wherein the indication that one or more credentials associated with a user account have been changed comprises a signal indicating that credentials of a user of the account are no longer valid.

15. A computer program product comprising one or more hardware storage devices having thereon computer-executable instructions that are structured such that, when executed by one or more processors of a computing system, configure a computing system to perform a method for signaling to one or more entities that a session previously initiated by a user is to be revoked, and wherein the method comprises:
- receiving an indication that one or more credentials associated with a user account have been changed, the user account having at least one associated session previously initiated for the user account;
  
  determining that a session token associated with the previously initiated session was issued before the received indication of the one or more changed credentials for the user account; and
  
  based on the determination, signaling to an identity platform that the associated session previously initiated is to be revoked, wherein signaling to the identity platform that the previously initiated session is to be revoked comprises synchronizing a password timestamp with the identity platform.
- View Dependent Claims (16, 17)
- - 16. The computer program product of claim 15, wherein the indication that one or more credentials associated with a user account have been changed is received from a user that has selected an option to revoke the associated session previously initiated.
  - 17. The computer program product of claim 15, wherein the indication that one or more credentials associated with a user account have been changed is received from an administrator who has indicated that the previously initiated session is to be revoked.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Gordon, Ariel, Devasahayam, Samuel, Zhao, Lu, Rouskov, Yordan, Arewar, Parmeshwar Miguel Sequeira, Gopalakrishnan, Venkatesh, Subramaniam, Sarat Chandra, Miron, Titus Constantin
Primary Examiner(s)
ZAIDI, SYED A

Application Number

US15/365,726
Publication Number

US 20170085553A1
Time in Patent Office

377 Days
Field of Search

726 6
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/102   Entity profiles

H04L 63/1416   Event detection, e.g. attac...

H04L 67/02   based on web technology, e....

H04L 67/14   Session management for real...

H04L 69/28   Timers or timing mechanisms...

Revoking sessions using signaling

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Revoking sessions using signaling

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links