Systems and methods for providing distributed authentication of service requests by identity management components

US 9,954,839 B2
Filed: 06/28/2013
Issued: 04/24/2018
Est. Priority Date: 06/28/2013
Status: Active Grant

First Claim

Patent Images

1. A client device in a network having a plurality of identity management (IDM) components, the client device comprising:

a processor and a memory, said memory containing instructions executed by said processor to cause the processor to;

generate a request for authentication for a service provided by a service provider;

publish, to a broker for selecting a particular IDM component from the plurality of IDM components providing distributed authentication for accessing the service provided by the service provider, the authentication request using a publish-subscribe message pattern wherein the client device is a publisher and the plurality of IDM components are subscribers;

receive an authentication initiation message from the particular IDM component selected by the broker; and

directly negotiate with the particular IDM component selected by the broker for a receipt of authentication information identifying the particular IDM component of the plurality of IDM components.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

There is described a system for authenticating a client device in a network having a plurality of IDM components. One or more of the IDM components subscribes (using the publish-subscribe message pattern) to authentication requests published by client devices. The client device publishes an authentication request into the network. The most appropriate IDM component to process the published authentication request is selected, and the authentication request forwarded to the selected IDM component. The selected IDM component is then operated to negotiate with and authenticate the client device.

22 Citations

View as Search Results

19 Claims

1. A client device in a network having a plurality of identity management (IDM) components, the client device comprising:
- a processor and a memory, said memory containing instructions executed by said processor to cause the processor to;
  
  generate a request for authentication for a service provided by a service provider;
  
  publish, to a broker for selecting a particular IDM component from the plurality of IDM components providing distributed authentication for accessing the service provided by the service provider, the authentication request using a publish-subscribe message pattern wherein the client device is a publisher and the plurality of IDM components are subscribers;
  
  receive an authentication initiation message from the particular IDM component selected by the broker; and
  
  directly negotiate with the particular IDM component selected by the broker for a receipt of authentication information identifying the particular IDM component of the plurality of IDM components.
- View Dependent Claims (2, 3, 4, 5, 6, 17, 18, 19)
- - 2. The client device of claim 1, wherein the instructions are configured to cause the processor to:
    - receive the authentication information from the particular IDM component selected by the broker;
      
      send the authentication information directly to the service provider to request the service from the service provider in the network.
  - 3. The client device of claim 1, wherein the authentication information includes an assertion token.
  - 4. The client device of claim 3, wherein the assertion token is service-specific.
  - 5. The client device of claim 1, wherein the authentication initiation message from the particular IDM component includes a certificate of the particular IDM component, and the instructions are configured to cause the processor to verify the certificate.
  - 6. The client device of claim 1, wherein the instructions are configured so that the negotiation includes the establishment of a secure session with the particular IDM component selected by the broker.
  - 17. A memory comprising a computer program having a computer readable code which, when run on a device, causes it to behave as a device according to claim 1, the memory further comprising a computer readable means on which the computer program is stored.
  - 18. The memory according to claim 17, wherein the memory is arranged in the form of a computer program product.
  - 19. A vessel or vehicle comprising the client device of claim 1.

7. An identity management (IDM) component in a network having a plurality of IDM components, the IDM component comprising:
- a processor and a memory, said memory containing instructions executed by said processor to cause the processor to;
  
  subscribe, via a broker disposed between a client device and a service provider, to receive authentication requests published by the client device in the network, wherein the client device is a publisher and the IDM component is a subscriber;
  
  receive, from the broker, an authentication request published by a client device, the IDM component selected from the plurality of IDM components for providing authentication for accessing a service provided by the service provider;
  
  initiate, by the IDM component, a negotiation directly with the client device; and
  
  authenticate the client device or a user of the client device; and
  
  transmit authentication information for accessing the service provided by the service provider, the authentication information identifying the IDM component of the plurality of IDM components.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The IDM component of claim 7, wherein the authentication information transmitted to the client device comprises an assertion token.
  - 9. The IDM component of claim 7, wherein the instructions are configured to cause the processor to:
    - receive a verification request from the service provider in the network, the verification request including an identifier of the client device or user or the assertion token; and
      
      transmit verification of the authentication of the client device or user or assertion token to the service provider.
  - 10. The IDM component of claim 9, wherein the instructions are configured to cause the processor to subscribe to verification requests published in the network, and wherein the verification request received from the service provider is a verification request published by the service provider.
  - 11. The IDM component of claim 7, wherein the instructions are configured to cause the processor to subscribe, via the broker in the network, to receive the verification request, and receive the verification request from said broker.
  - 12. The IDM component of claim 11, wherein the subscription includes details of the capabilities of the IDM component.
  - 13. The IDM component of claim 11, wherein the capabilities include one or more selected from a region of the IDM component, authentication protocols available to the IDM component, availability of IDM component, number of authentications currently being handled by IDM component.

14. A service provider in a network having a plurality of distributed identity management (IDM) components, the service provider comprising:
- a processor and a memory, said memory containing instructions executed by said processor to cause the processor to;
  
  receive, via an input/output device, a service request from a client device in the network, said service request including at least one of an authentication of the client and an assertion token;
  
  publish, to a broker for selecting a particular IDM component from the plurality of IDM components for verifying the at least one of the authentication of the client and the assertion token, a verification request, wherein the client device is a publisher and the plurality of IDM components are subscribers;
  
  receive a verification, from the particular IDM component selected by the broker, of the at least one of the client authentication and assertion token; and
  
  in response to receiving the verification from the particular IDM component selected by the broker, deliver the requested service to the client device.

15. A broker in a network having distributed identity management (IDM) components, the broker comprising:
- a processor and a memory, said memory containing instructions executed by said processor to cause the processor to;
  
  receive, from each of a plurality of IDM components providing distributed authentication for accessing a service provided by a service provider, a subscription to authentication requests, wherein the plurality of IDM components are subscribers;
  
  receive an authentication request published by a client device in the network, the authentication request for accessing, by the client device, the service by the service provider, wherein the client device is a publisher;
  
  determine that a subscription by a particular IDM component of the plurality of IDM components matches the published authentication request; and
  
  forward the authentication request to one of the particular IDM component of the plurality of IDM components.
- View Dependent Claims (16)
- - 16. The broker of claim 15, wherein the instructions are configured to cause the processor to determine if capabilities of the IDM component, included in the subscription, are suitable for the authentication request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telefonaktiebolaget LM Ericsson
Original Assignee
Telefonaktiebolaget LM Ericsson
Inventors
Ahmed, Abu Shohel, Jokela, Petri
Primary Examiner(s)
Patel, Haresh N

Application Number

US14/896,990
Publication Number

US 20160142392A1
Time in Patent Office

1,761 Days
Field of Search

726 7
US Class Current
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/0815   providing single-sign-on or...

H04L 63/0823   using certificates cryptogr...

H04L 63/205   involving negotiation or de...

H04L 67/10   in which an application is ...

Systems and methods for providing distributed authentication of service requests by identity management components

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

22 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for providing distributed authentication of service requests by identity management components

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links