Patent Application
20080086766
In order to describe the manner in which the above-recited and other advantages and features can be obtained, a more particular description of the subject matter briefly described above will be rendered by reference to specific embodiments which are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments and are not therefore to be considered to be limiting in scope, embodiments will be described and explained with additional specificity and detail through the use of the accompanying drawings in which:
Embodiments herein may comprise a special purpose or general-purpose computer including various computer hardware, as discussed in greater detail below.
One embodiment described herein allows for alternate personally identifying information to be transmitted by a client in a request to a token issuer. Because the client has already been authenticated with the token issuer, the token issuer can substitute the alternate personally identifying information in a security token that is issued to the client. As such, information can be included in a security token beyond what is stored at the token issuer as a result of a previous authentication for a given client. Thus, a token issuer can specify alternate personally identifying information in a security token, which in one embodiment can be substituted for personally identifying information that would be included in the security token absent the alternate personally identifying information from the client.
Referring now to
In the example illustrated, a request 110 is sent from the client 102 to the token issuer service 104. The request 110 includes alternate personally identifying information. The alternate personally identifying information may be any one of a number of different pieces of information. For example, the personally identifying information may be an alternate email address, an alternate name, a nickname, an alternate telephone number, an alternate physical address, an alternate numeric identifier, etc. Notably, while some examples have been illustrated here, these examples should in no way be considered limiting as to the scope of alternate personally identifying information that may be included.
Returning once again to the example of
In one embodiment, when a request for a security token, including alternate personally identifying information is received from a client, a token issuer service may be configured to authenticate the client using personally identifying information at the token issuer. Specifically, because the alternate personally identifying information may not be previously known to the token issuer, the token issuer may perform various authenticating actions to confirm the identity of the client. These authenticating actions may use information previously known about the client by the token issuer service. However, in some alternative embodiments, the information included in the token request may be sufficient to authenticate the client to the token issuer service.
In one exemplary embodiment, the alternate personally identifying information replaces one or more pieces of information from the personally identifying information that would be included in the security token if the alternate personally identifying information were not present in the security token request. For example, a security token 108 that is eventually issued by a token issuer service 104 may exclude certain personally identifying information that would normally be included and replace that information with the alternate personally identifying information included in the token request 110.
Alternatively, the alternate personally identifying information for an entity is an alternative to one or more pieces of information in the personally identifying information for the entity at the security token issuer. For example, a security token 108 issued from a token issuer service 104 may include information that would normally be included absent the inclusion of the alternate personally identifying information in the request 110, but may also include the alternate personally identifying information as well. For example, the security token 108 may include two email addresses instead of a single email address that would normally be included in the token 108.
Some embodiments may be such that the token issuer service is already aware of the alternate personally identifying information. For example, the token issuer service 104 may have four alternate email addresses for a particular client 102. Each of these alternate email addresses may have been authenticated by the token issuer service 104, such that the token issuer service 104 has a reasonable basis for relying on the email addresses as being authentic for the client 102. As such, when the alternate personally identifying information included in the request 110 includes one of the four previously authenticated email addresses, the token issuer service 104 may include the email address specified in the alternate personally identifying information based on having already authenticated the email address.
In an alternative embodiment, the alternate personally identifying information is not pre-registered with the token issuer prior to receiving the alternate personally identifying information in the security token request. Rather, a token issuer may nonetheless include the alternate personally identifying information in a security token by virtue of a security relationship with the client based on primary personally identifying information previously sent.
Referring now to
Referring now to
The method includes sending a security token request including alternate personally identifying information (act 202) for an entity. For example, as illustrated in Figure IA, request 110 is sent to the token issuer service 104. Alternatively, a request may be sent by sending to a local token issuer service 104 such as is illustrated in
The method 200 further includes an act of receiving a security token from the security token issuer including the alternate personally identifying information. For example,
In one embodiment, sending a security token request to a token issuer (act 202) may include sending authentication information authenticating the entity to the token issuer. For example, the authentication information may include personally identifying information at the token issuer that can be used to authenticate the entity to the token issuer. In one embodiment, the authentication information may include an X.509 certificate, a SAML certificate, an XrML certificate and/or Kerberos ticket.
In one embodiment of the method 200, sending and receiving are performed using Web Services. Specifically, Web Services may be used to implement the messaging for token requests and token issuance. Web Services is a standardized way of integrating applications. Standardized XML documents can be used with SOAP (Simple Object Access Protocol) messages and WSDL (Web Services Description Language) descriptions to integrate applications without an extensive knowledge of the applications being integrated. In particular, in one embodiment, WS-Trust, an authentication protocol used in Web Services applications, may be used with the extended functionality of being able to have alternate personally identifying information specified by a client for inclusion in a security token.
Referring now to
The method 300 further includes sending a security token to the client, including the alternate personally identifying information (act 304).
Embodiments may also include computer-readable media for carrying or having computer-executable instructions or data structures stored thereon. Such computer-readable media can be any available media that can be accessed by a general purpose or special purpose computer. By way of example, and not limitation, such computer-readable media can comprise physical media such as RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired or wireless) to a computer, the computer properly views the connection as a computer-readable medium. Thus, any such connection is properly termed a computer-readable medium. Combinations of the above should also be included within the scope of computer-readable media.
Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or special purpose processing device to perform a certain function or group of functions. Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.
