Method and apparatus for handling user identities under single sign-on services
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus and method for providing Single Sign-On services to a user when accessing a selected Service Provider from a plurality of Service Providers. An Authentication Provider authenticates the user at with a user-identity, provides the user with a token as proof of the authentication, and assigns a temporary alias-identity to the user for use when the user accesses the selected Service Provider. The Authentication Provider and the selected Service Provider link the assigned alias-identity and the user-identity to identify the user at respective sites. The user accesses the selected Service Provider by presenting the token along with a local user-identity valid for the selected Service Provider. When the user attempts a subsequent access at the selected Service Provider, the user is identified by the shared alias-identity, if the user allowed permanent linking. If the user did not allow permanent linking, the process is repeated for each subsequent access.
195 Citations
18 Claims
-
1. (canceled)
-
7. (canceled)
-
13. (canceled)
-
16. A method of handling and correlating a plurality of user-identities for a user having a plurality of local user-identities utilized to access a plurality of Service Providers, said method providing Single Sign-On services to the user when accessing a selected Service Provider from the plurality of Service Providers, the method comprising the steps of:
-
authenticating the user at an Authentication Provider with a user-identity used for authentication purposes;
providing the user with a token as proof that the user has already been authenticated by the Authentication Provider;
assigning at the Authentication Provider a temporary alias-identity to the user to be utilized the first time the user accesses the selected Service Provider identified by a given Service Provider identifier;
linking at the Authentication Provider and at the selected Service Provider, the assigned alias-identity and the user-identity used for authentication purposes, both Providers sharing and uniquely exchanging the alias-identity to identify the user at respective sites, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user;
attempting a first access by the user at the selected Service Provider, said attempting step including presenting the token to the selected Service Provider along with a local user-identity valid for the selected Service Provider;
providing the user with access by the selected Service Provider based on the shared alias-identity;
determining at a later time, that the user is attempting a subsequent access at the selected Service Provider;
identifying the user by the shared alias-identity and providing access, if permanent linking was allowed by the user; and
repeating the steps of assigning a temporary alias-identity, linking on a temporary basis, and providing access, if permanent linking was not allowed by the user. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
17. An Authentication Provider for carrying out a Single Sign-On authentication of a user accessing a selected Service Provider from a plurality of Service Providers utilized by the user, the user having a user-identity used for authentication purposes, the Authentication Provider comprising:
-
means for authenticating the user with a user-identity used for authentication purposes;
means for providing the user with a token as proof that the user has already been authenticated;
means for assigning a temporary alias-identity to the user to be utilized the first time the user accesses the selected Service Provider identified by a given Service Provider identifier;
means for linking the assigned alias-identity with the user-identity used for authentication purposes and with the Service Provider identifier of the selected Service Provider, said linking being performed on a permanent basis if allowed by the user or on a temporary basis if not allowed by the user; and
means for authenticating the user'"'"'s linked alias-identity towards the selected Service Provider whenever the user attempts to access the selected Service Provider, if permanent linking was allowed. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
18. A Service Provider comprising:
-
means for receiving a service request from an accessing user, the service request including an authentication token for the user that indicates that the user has already been authenticated;
means for verifying the authentication token with an Authentication Provider that generated the token, and means for obtaining from the user, a local user-identity to identify a user'"'"'s account with the Service Provider;
means for obtaining from the Authentication Provider a shared alias-identity for the user;
means for linking the local user-identity with the received shared alias-identity, on a permanent basis if allowed by the user, or on a temporary basis if not allowed by the user; and
means for requesting the Authentication Provider to authenticate the user'"'"'s shared alias-identity whenever the user subsequently requests access, if permanent linking was allowed. - View Dependent Claims (14, 15)
-
Specification