Distributed hierarchical identity management

US 7,793,095 B2
Filed: 06/06/2003
Issued: 09/07/2010
Est. Priority Date: 06/06/2002
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite;

causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and

receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and methods for identity management and authentication are provided herein. The present invention employs shadow domains to prove entity membership in an identity management system where responsibility for trust relationships is devolved to the user. The present invention additionally teaches doubly signed certificate transmission for authentication of assertions made by third parties in the identity management network.

26 Citations

View as Search Results

23 Claims

1. A method comprising:
- receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite;
  
  causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and
  
  receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the receiving the name of the homesite comprises examining a cookie associated with the user.
  - 3. The method of claim 1, wherein the homesite is configured to provide both user identity authentication information and user identity information, and the redirection further comprises redirection of an identity information request from the membersite to the homesite in the shadow domain.
  - 4. The method of claim 3, wherein the receiving an indication of an authentication further comprises receiving identity information from the homesite.
  - 5. The method of claim 3, further comprising:
    - receiving identity information not provided by the homesite; and
      
      redirecting to the homesite to communicate received identity information to the homesite.
  - 6. The method of claim 5, wherein the identity information not provided by the homesite is received from the user.
  - 7. The method of claim 1, wherein the membersite is configured to request information in a standardized manner from a plurality of homesites using an information schema administered by the central authentication authority.

8. A method comprising:
- receiving, at a homesite, a user associated request to provide user identity authentication information for a membersite, the user being associated with a globally unique identifier and other authentication information, the membersite not having an explicit trust relationship with the homesite, the homesite being communicatively linked with the membersite through a shadow domain; and
  
  causing, by the homesite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for the shadow domain that is associated with the membersite, wherein a successful shadow domain name resolution enables redirection from the homesite to the membersite in the shadow domain;
  
  indicating, by the homesite, through the redirection to the membersite in the shadow domain, the user identity authentication information to the membersite in response to receiving valid authentication information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the indicating the user identity authentication information to the membersite is performed responsive to receiving a user ID and password combination associated with the globally unique identifier.
  - 10. The method of claim 8, wherein the indicating the user identity authentication information to the membersite comprises communicating a cookie, readable by the membersite, containing an indication of user authentication and the globally unique identifier.
  - 11. The method of claim 8, wherein the receiving the user associated request to provide the user identity authentication information comprises receiving an identity information request.
  - 12. The method of claim 11, wherein the indicating the user identity authentication information comprises communicating to the membersite identity information upon receipt of the valid authentication information.
  - 13. The method of claim 12, wherein the indicating the user identity authentication information to the membersite comprises communicating the identity information after obtaining user authorization for transfer of the identity information to the membersite.
  - 14. The method of claim 11, further comprising:
    - receiving, from the user, identity information obtained by the membersite; and
      
      storing transferred identity information in a user profile database.

15. A non-transitory computer-readable medium comprising computer-executable instructions that, responsive to execution by a computing device, cause the computing device to perform operations comprising:
- receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite;
  
  causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and
  
  receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user.
- View Dependent Claims (16, 17, 18)
- - 16. A non-transitory computer-readable medium of claim 15, wherein the homesite is configured to provide both user identity authentication information and user identity information, and the redirection further comprises redirection of an identity information request from the membersite to the homesite in the shadow domain.
  - 17. The non-transitory computer-readable mediumof claim 16, wherein the receiving the indication of the authentication further comprises receiving identity information from the homesite.
  - 18. The non-transitory computer-readable medium of claim 16, wherein the operations further comprise:
    - receiving identity information not provided by the homesite; and
      
      redirecting to the homesite to communicate received identity information to the homesite.

19. A non-transitory computer-readable medium comprising computer-executable instructions that, responsive to execution by a computing device, cause the computing device to perform operations comprising:
- receiving, at a homesite, a user associated request to provide user identity authentication information for a membersite, the user being associated with a globally unique identifier and other authentication information, the membersite not having an explicit trust relationship with the homesite, the homesite being communicatively linked with the membersite through a shadow domain;
  
  causing, by the homesite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for the shadow domain that is associated with the membersite, wherein a successful shadow domain name resolution enables redirection from the homesite to the membersite in the shadow domain; and
  
  indicating, by the homesite, through the redirection to the membersite in the shadow domain, the user identity authentication information to the membersite in response to receiving valid authentication information.
- View Dependent Claims (20, 21)
- - 20. The non-transitory computer-readable medium of claim 19, wherein the indicating the user identity authentication information to the membersite is performed responsive to receiving a user ID and password combination associated with the globally unique identifier.
  - 21. The non-transitory computer-readable medium of claim 19, wherein the indicating the user identity authentication information to the membersite comprises communicating a cookie, readable by the membersite, containing an indication of user authentication and the globally unique identifier.

22. A computing device, comprising:
- a processor; and
  
  one or more computer-readable storage media comprising computer-executable instructions which, under the influence of the processor, are configured to perform operations comprising;
  
  receiving, at a membersite, a name of a homesite that is configured to provide user identity authentication for the membersite based on user authentication information maintained by the homesite, the membersite not having an explicit trust relationship with the homesite;
  
  causing, by the membersite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for a shadow domain associated with the homesite, wherein a successful shadow domain name resolution enables redirection of a user identity authentication request from the membersite to the homesite in the shadow domain; and
  
  receiving, at the membersite, an indication of an authentication of the user identity from the homesite in response to the homesite receiving valid user authentication information, the valid user authentication information including a globally unique identifier associated with the user.

23. A system, comprising:
- a processor; and
  
  one or more computer-readable storage media comprising computer-executable instructions which, under the influence of the processor, are configured to perform operations comprising;
  
  receiving, at a homesite, a user associated request to provide user identity authentication information for a membersite, the user being associated with a globally unique identifier and other authentication information, the membersite not having an explicit trust relationship with the homesite, the homesite being communicatively linked with the membersite through a shadow domain; and
  
  causing, by the homesite, transmission, to a central authentication entity, of a request for a shadow domain name resolution for the shadow domain that is associated with the membersite, wherein a successful shadow domain name resolution enables redirection from the homesite to the membersite in the shadow domain; and
  
  indicating, by the homesite, through the redirection to the membersite in the shadow domain, the user identity authentication information to the membersite in response to receiving valid authentication information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Callahan Cellular LLC (Intellectual Ventures LLC)
Original Assignee
Dormarke Assets LLC (Intellectual Ventures LLC)
Inventors
Hardt, Dick C.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
Nobahar; Abdulhakim

Application Number

US10/455,438
Publication Number

US 20030229783A1
Time in Patent Office

2,650 Days
Field of Search

713/155, 713/161, 713/168, 713/170, 713/182, 713/183, 726 2- 6, 726 26- 30, 709/245, 705/67
US Class Current

713/155
CPC Class Codes

G06F 21/33   using certificates

G06F 21/41   where a single sign-on prov...

H04L 63/0815   providing single-sign-on or...

H04L 63/102   Entity profiles

Distributed hierarchical identity management

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed hierarchical identity management

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links