POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE

US 20080229384A1
Filed: 08/22/2007
Published: 09/18/2008
Est. Priority Date: 03/16/2007
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a machine (135) operative as an identity provider;

a receiver (705) to receive a request for a security token (160);

a transmitter (710) to transmit said security token (160) responsive to said request;

at least one audit policy (725) including a trigger (730) based on said security token (160) and an audit action (735); and

an audit operator (740) operative to perform said audit action (735) if said trigger (730) occurs.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user defines an audit policy. The audit policy identifies one or more triggers that, when related information is included in a security token, trigger the performance of the audit. The audit can include notifying the user in some manner that the trigger occurred. The audit can require in-line confirmation of the audit, so that the security token is not transmitted until the user confirms the audit.

Citations

30 Claims

1. An apparatus, comprising:
- a machine (135) operative as an identity provider;
  
  a receiver (705) to receive a request for a security token (160);
  
  a transmitter (710) to transmit said security token (160) responsive to said request;
  
  at least one audit policy (725) including a trigger (730) based on said security token (160) and an audit action (735); and
  
  an audit operator (740) operative to perform said audit action (735) if said trigger (730) occurs.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. An apparatus according to claim 1, wherein said audit action (735) includes at least one of an e-mail message (810) to send to a user, an SMS message (805) to send to said user, a log responsive to said audit policy, and an RSS feed responsive to said audit policy.
  - 3. An apparatus according to claim 1, wherein said audit action (735) includes at least one of a first message (810) relating to said security token (160) to send to a user and a second message (810) identifying a client (105) requesting said security token (160) to send to said user.
  - 4. An apparatus according to claim 3, wherein said audit action (735) further includes a third message (810) including details of a transaction (815) involving said security token (160) to send to said user.
  - 5. An apparatus according to claim 4, wherein said details of a transaction (815) include an identity of a relying party (130) receiving said security token (160).
  - 6. An apparatus according to claim 1, wherein the receiver (705) is operative to receive the audit policy (725) from a user.
  - 7. An apparatus according to claim 1, wherein the transmitter (710) is operative to transmit said security token (160) responsive to a user approving said audit action (735).
  - 8. An apparatus according to claim 1, wherein:
    - said request identifies at least one datum (715, 720) to be included in said security token (160);
      
      the at least one audit policy (725) is associated with said datum (715, 720).

9. A memory for storing data for access on a computer system, comprising:
- a data structure (1210) stored in the memory (1205), the data structure including;
  
  a first identifier (1215) of a datum stored in the memory (1205); and
  
  an audit action (1220) to perform associated with the first identifier (1215) of said datum.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. A memory according to claim 9, wherein the audit action (1220) includes at least one of an e-mail message (810) to send to a user, an SMS message (805) to send to the user, a log generated from said datum, and an RSS feed generated from said datum.
  - 11. A memory according to claim 9, wherein the audit action (1220) includes at least one of instructions (810) to inform a user about a security token (160) associated with said datum and instructions (810) to inform a user about an identity of a client (105) requesting said security token (160).
  - 12. A memory according to claim 11, wherein the audit action (1220) further includes instructions (810) to inform said user about details of a transaction (815) involving said security token (160).
  - 13. A memory according to claim 9, wherein the data structure further includes an in-line flag (1225) indicating whether the audit action (1220) should be performed before a security token (160) including said datum is transmitted.
  - 14. A memory according to claim 9, wherein said datum is to be included in a security token (160).

15. A method for triggering an audit, comprising:
- receiving (1410) a request for a security token (160), the request identifying at least one datum (715, 720);
  
  accessing (1415) an audit policy (710) associated with the datum (715, 720);
  
  identifying (1420) a trigger (730) associated with the security token (160);
  
  performing (1425) an audit action (735) responsive to the identified trigger (730); and
  
  transmitting (1450) the security token (160) responsive to the received request.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. A method according to claim 15, wherein:
    - performing (1425) an audit action (735) includes performing at least one of sending an e-mail (810) to a user, sending an SMS message (805) to the user, logging information generated from the security token, and an RSS feed generated from the security token.
  - 17. A method according to claim 15, wherein performing (1425) an audit action (735) includes informing a user (810) about at least one of the contents of the security token (160) and an identity of a client (105) requesting the security token (160).
  - 18. A method according to claim 17, wherein performing (1425) an audit action (735) further includes informing the user about details of a transaction (815) involving the security token (160).
  - 19. A method according to claim 18, wherein informing the user about details of a transaction (815) includes identifying a relying party (130) receiving the security token (160).
  - 20. A method according to claim 15, further comprising receiving (130) the audit policy (725) from a user, the audit policy (725) identifying the trigger (730) and the audit action (735).
  - 21. A method according to claim 15, wherein:
    - performing (1425) an audit action (735) includes requesting (1435) a user to approve the transmission of the security token (160); and
      
      transmitting (1450) a security token (160) includes transmitting (1450) the security token (160) only if the user approves (1440) the transmission of the security token (160).
  - 22. A method according to claim 21, wherein transmitting (1450) the security token (160) includes denying (1445) a transaction (815) if the user does not approve the transmission of the security token (160).

23. An article, comprising a storage medium, said storage medium having stored thereon instructions that, when executed by a machine, result in:
- receiving (1410) a request for a security token (160), the request identifying at least one datum (715, 720);
  
  accessing (1415) an audit policy (710) associated with the datum (715, 720);
  
  identifying (1420) a trigger (730) associated with the security token (160);
  
  performing (1425) an audit action (735) responsive to the identified trigger (730); and
  
  transmitting (1450) the security token (160) responsive to the received request.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. An article according to claim 23, wherein:
    - performing (1425) an audit action (735) includes performing at least one of sending an e-mail (810) to a user, sending an SMS message (805) to the user, logging information generated from the security token, and an RSS feed generated from the security token.
  - 25. An article according to claim 23, wherein performing (1425) an audit action (735) includes informing a user (810) about at least one of the contents of the security token (160) and an identity of a client (105) requesting the security token (160).
  - 26. An article according to claim 25, wherein performing (1425) an audit action (735) further includes informing the user about details of a transaction (815) involving the security token (160).
  - 27. An article according to claim 26, wherein informing the user about details of a transaction (815) includes identifying a relying party (130) receiving the security token (160).
  - 28. An article according to claim 23, wherein said storage medium has stored thereon further instructions that, when executed by the machine, result in receiving (130) the audit policy (725) from a user, the audit policy (725) identifying the trigger (730) and the audit action (735).
  - 29. An article according to claim 23, wherein:
    - performing (1425) an audit action (735) includes requesting (1435) a user to approve the transmission of the security token (160); and
      
      transmitting (1450) a security token (160) includes transmitting (1450) the security token (160) only if the user approves (1440) the transmission of the security token (160).
  - 30. An article according to claim 29, wherein transmitting (1450) the security token (160) includes denying (1445) a transaction (815) if the user does not approve the transmission of the security token (160).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Apple Inc.
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Felsted, Patrick R., Sermersheim, James G., Doman, Thomas E., Hodgkinson, Andrew A., Buss, Duane F.

Granted Patent

US 8,370,913 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/41   where a single sign-on prov...

G06Q 20/10   specially adapted for elect...

G06Q 20/367   involving electronic purses...

G06Q 20/382   insuring higher security of...

G06Q 20/40   Authorisation, e.g. identif...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/20   for managing network securi...

POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY-BASED AUDITING OF IDENTITY CREDENTIAL DISCLOSURE BY A SECURE TOKEN SERVICE

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links