Distributed hierarchical identity management
First Claim
Patent Images
1. A method comprising:
- receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite;
causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and
receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user.
5 Assignments
0 Petitions
Accused Products
Abstract
A system and methods for identity management and authentication are provided herein. The present invention employs shadow domains to prove entity membership in an identity management system where responsibility for trust relationships is devolved to the user. The present invention additionally teaches doubly signed certificate transmission for authentication of assertions made by third parties in the identity management network.
26 Citations
23 Claims
-
1. A method comprising:
-
receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite; causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method comprising:
-
receiving, at a homesite, a user associated request to provide user identity authentication information for a membersite, the user being associated with a globally unique identifier and other authentication information, the membersite not having an explicit trust relationship with the homesite, the homesite being communicatively linked with the membersite through a shadow domain; and causing, by the homesite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for the shadow domain that is associated with the membersite, wherein a successful shadow domain name resolution enables redirection from the homesite to the membersite in the shadow domain; indicating, by the homesite, through the redirection to the membersite in the shadow domain, the user identity authentication information to the membersite in response to receiving valid authentication information. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable medium comprising computer-executable instructions that, responsive to execution by a computing device, cause the computing device to perform operations comprising:
-
receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite; causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user. - View Dependent Claims (16, 17, 18)
-
-
19. A non-transitory computer-readable medium comprising computer-executable instructions that, responsive to execution by a computing device, cause the computing device to perform operations comprising:
-
receiving, at a homesite, a user associated request to provide user identity authentication information for a membersite, the user being associated with a globally unique identifier and other authentication information, the membersite not having an explicit trust relationship with the homesite, the homesite being communicatively linked with the membersite through a shadow domain; causing, by the homesite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for the shadow domain that is associated with the membersite, wherein a successful shadow domain name resolution enables redirection from the homesite to the membersite in the shadow domain; and indicating, by the homesite, through the redirection to the membersite in the shadow domain, the user identity authentication information to the membersite in response to receiving valid authentication information. - View Dependent Claims (20, 21)
-
-
22. A computing device, comprising:
-
a processor; and one or more computer-readable storage media comprising computer-executable instructions which, under the influence of the processor, are configured to perform operations comprising; receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite; causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user.
-
-
23. A system, comprising:
-
a processor; and one or more computer-readable storage media comprising computer-executable instructions which, under the influence of the processor, are configured to perform operations comprising; receiving, at a homesite, a user associated request to provide user identity authentication information for a membersite, the user being associated with a globally unique identifier and other authentication information, the membersite not having an explicit trust relationship with the homesite, the homesite being communicatively linked with the membersite through a shadow domain; and causing, by the homesite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for the shadow domain that is associated with the membersite, wherein a successful shadow domain name resolution enables redirection from the homesite to the membersite in the shadow domain; and indicating, by the homesite, through the redirection to the membersite in the shadow domain, the user identity authentication information to the membersite in response to receiving valid authentication information.
-
Specification