Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 1 of 42 PageID #: 84
`
`Exhibit C
`
`
`
`
`
`
`
`
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 2 of 42 PageID #: 85
`
`USOO763 1346 B2
`
`(12) United States Patent
`Hinton et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,631,346 B2
`Dec. 8, 2009
`
`2004/0205176 A1* 10/2004 Ting et al. ................... 709,223
`(54) METHOD AND SYSTEM FOR A RUNTIME
`2005/0074126 A1* 4/2005 Stanko ....................... 380,279
`USER ACCOUNT CREATION OPERATION
`ERSENSSN 2005/0210270 A1* 9/2005 Rohatgiet al. .............. T13, 186
`2005/0240763 A9 10/2005 Bhat et al. .................. T13/169
`2005/02571.30 A1* 11/2005 Ito .......................... T15,500.1
`2006/0048213 A1* 3/2006 Cheng et al. ................... 726/5
`
`(75) Inventors: Heather Maria Hinton, Austin, TX
`(US); Ivan Matthew Milman, Austin,
`TX (US); Venkat Raghavan, Austin, TX
`(US); Shane Bradley Weeden, Gold
`Coast (AU)
`(73) Assignee: International Business Machines
`Corporation, Armonk, NY (US)
`
`- r
`(*) Notice:
`
`tO E. site th still
`Sibi
`patent 1s extended or adjusted under
`U.S.C. 154(b) by 827 days.
`
`(21) Appl. No.: 11/097.587
`(22) Filed:
`Apr. 1, 2005
`
`(65)
`
`Prior Publication Data
`US 2006/0236382 A1
`Oct. 19, 2006
`
`(Continued)
`OTHER PUBLICATIONS
`Gross, T.; Security analysis of the SAML single sign-on browser?
`artifact profile; Publication Date: Dec. 8-12, 2003; IBM Zurich Res.
`Lab: On pp. 298-307.*
`ap; Un pp
`Primary Examiner Kambiz Zand
`Assistant Examiner—Monjour Rahim
`(74) Attorney, Agent, or Firm Jeffrey S. LaBaw: David H.
`Judson
`
`(57)
`
`ABSTRACT
`
`- - - - - - - - - - - - - - - - - - - - -
`
`s
`
`t
`
`t
`
`rt
`
`tOt
`
`t1at
`
`t
`
`W YY
`
`(51) Int. Cl.
`A method, system, apparatus, and computer program product
`(2006.01)
`G06F 7/04
`are presented to Support computing systems of different
`get 6. 6 C
`enterprises that interact within a federated computing envi
`G06F 7/30
`2OO 6. O :
`ronment. Federated single-sign-on operations can be initiated
`at the computing systems of federation partners on behalf of
`(52) U.S. Cl. ........................................... 726/8; 380/279
`though th
`h
`testablished
`t
`(58) Field of Classification Search
`726/6, E.
`713/186, 169; 380/279; 715/500
`in operation.
`mple,
`nuty pro
`See application file for complete search history.
`single-sign-on operation at a service provider while attempt
`ing to obtain access to a controlled resource on behalf of a
`user. When the service provider recognizes that it does not
`have a linked user account for the user that allows for a
`single-sign-on operation with the identity provider, the Ser
`Vice provider creates a local user account. The service pro
`vider can also pull user attributes from the identity provideras
`necessary to perform the user account creation operation.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`7,290,278 B2 * 10/2007 Cahill et al. ................... T26.6
`2003. O149781 A1
`8, 2003 Yared et al.
`2003/0154266 A1* 8, 2003 Bobicket al. ............... 709,223
`2004/0010607 A1
`1/2004 Lee et al. .................... 709,229
`2004/015874.6 A1* 8, 2004 Hu et al. ..................... T13/202
`
`20 Claims, 14 Drawing Sheets
`
`CLIENT DEVICE 34.
`browser APPLICATION 316
`MLINTERPrTER 322
`Weservices clNT 324
`
`HTTP 32.
`
`Ther
`APPS
`3.18
`
`
`
`
`
`oracNFront-No
`for NTERPrsioMAIN 34
`point-of-coNTACT Poc server 342
`
`federATIONCONFIGURATION APPL 348
`
`FederAton mtRFAce UNT 3.5
`
`FEDERATIONUSERREGISTRY 358
`
`FEERATE USERLIFECYCEMANAGEMEN
`(FULM) APPLICATION 352
`SINGLE-SIGN-ON
`RiccLSERVCE
`(SPS354
`
`TRUST PROxy(TP)
`(truSTSERVICE) 344
`
`SCURITY TOKEN
`SERVICESTs) 346
`
`ENTY AN
`Attribute service
`(IAS). 356
`
`ACYAPCAINS or
`ACK-NPROCESSING FOR
`NTrprised MAN
`33
`
`AUTENCAINSERWCE
`runtiME (ASRSErwers
`332
`
`ApplicAtomiserwers
`334
`
`protected resources
`335
`
`Nterprise
`USER
`registry
`338
`
`ESACY
`USER
`RSTRATION
`APPLICATON
`336
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 3 of 42 PageID #: 86
`
`US 7,631,346 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`2006/0059544 A1
`3f2006 Guthrie et al. ................. T26/4
`2006/0195893 A1* 8, 2006 Caceres et al. ................. T26.8
`
`2007/0005730 A1
`
`1/2007 Torvinen et al. ............ TO9,219
`
`* cited by examiner
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 4 of 42 PageID #: 87
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 1 of 14
`
`US 7,631,346 B2
`
`100 y
`
`109
`
`assists,
`CLENT
`
`Syst
`CLIENT
`
`N th-9
`
`116
`
`PERSONAL
`DIGITAL ASSISTANT
`
`" FIG. A
`%.
`" ? s Eise,
`
`DIGITAL ASSISTANT
`
`(PRIOR ART)
`
`
`
`-u 111
`
`WRELESS
`PHONE
`
`120 122
`\
`
`CPU
`
`DISPLAY
`ADAPTER
`
`146
`
`123
`
`144
`
`DISPLAY
`
`USER INTERFACE
`ADAPTER
`
`148
`
`130
`
`126
`
`-
`-2
`PRINTER
`C D
`
`128
`
`/O ADAPTER
`
`
`
`142
`
`YY
`U
`MOUSE
`
`134
`
`132
`
`COMMUNICATION
`ADAPTER
`
`KEYBOARD
`
`136
`
`COMMUNICATION
`LINK
`
`FIG. IB
`(PRIOR ART)
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 5 of 42 PageID #: 88
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 2 of 14
`
`US 7,631,346 B2
`
`i
`
`TYPICALUSER
`M
`E
`EY AUTHENTICATION
`
`USER REQUESTSWEB
`PAGE AT IBM.COM
`152 -
`wo
`
`:
`
`HTTP REQUEST
`HIPREous
`
`:
`153
`c >
`155
`
`IBM.COM
`
`NODENTITY
`NFORMATION
`AVAILABLE
`154
`
`USER/CLIENT
`PROVIDES INFORMATION:
`157
`
`USER REQUESTS
`ANOTHER WEBPAGE
`AT IBM.COM
`161
`
`ESTABLISHSSL SESSION
`
`156
`AUTHENTICATION CHALLENGE 2
`8
`158
`AUTHENTICATION RESPONSE 2
`160
`2
`
`HTTP RESPONSE
`
`i
`162
`2
`
`164:
`
`EST
`HTTP REOUES
`
`HTTP RESPONSE
`
`FIG. IC
`(PRIOR ART)
`
`CLIENT
`
`SERVER
`AUTHENTICATES
`USERICLENT
`
`
`
`lies occer in --
`SSLSESSION ID="F"
`:
`
`
`
`
`
`
`
`
`
`
`
`SERVER
`
`SERVER
`
`SERVER
`
`t
`
`WEB APPLICATION
`SERVER
`
`
`
`DNS DOMAIN 1
`173
`
`
`
`
`
`DNS DOMAN 2
`175
`
`(PRIOR ART)
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 6 of 42 PageID #: 89
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 3 of 14
`
`US 7,631,346 B2
`
`AM
`196
`so
`
`BANKING
`DOMAIN
`195
`
`ISP DOMAIN 191
`
`AUTHENTICATION
`MANAGER (AM)
`
`-
`
`E-COMMERCE
`DOMAIN
`197
`
`GOVERNMENT
`DOMAN
`193
`
`FIG. IE
`(PRIOR ART)
`
`
`
`
`
`ENTERPRISE A
`204
`HOME DOMAIN/
`DENTITY PROVIDER
`
`
`
`ISSUNG DOMAN
`
`
`
`FIG. 2
`
`ENTERPRISEB
`2O6
`
`ENTERPRSEC
`208
`
`RELYING DOMAIN
`SERVICE PROVIDER
`
`
`
`ISSUNG DOMAIN
`
`RELYING DOMAIN
`
`
`
`
`
`
`
`
`
`ENERPRISE A
`410
`
`POINT-OF-CONTACT
`(POC) SERVER
`412
`
`SECURITY
`TOKEN
`SERVICE
`(STS)
`416
`
`TRUST PROXY (TP)
`(TRUST SERVICE)
`414
`
`ENTERPRISE B 420
`
`POC SERVER
`422
`
`TRUST
`SERVICE
`424
`
`TRUST BROKER
`430
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 7 of 42 PageID #: 90
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 4 of 14
`
`US 7,631,346 B2
`
`FIG. 3
`
`CLIENT DEVICE 314
`BROWSER APPLICATION 316
`ML INTERPRETER 322
`WEBSERVICES CLIENT 324
`
`HTTP 320
`
`FEDERAON FRONT-END
`FOR ENTERPRISE/DOMAIN 340
`
`POINT-OF-CONTACT (POC) SERVER 342
`
`FEDERATION CONFIGURATION APPL. 348
`
`FEDERATION INTERFACE UNIT 350
`
`FEDERATIONUSERREGISTRY 358
`
`LEGACY APPLICATIONS OR
`BACK-END PROCESSING FOR
`ENTERPRISE/DOMAIN
`330
`
`AUTHENTICATION SERVICE
`RUNTIME SF) SERVERS
`
`FEDERATED USER LIFECYCLE MANAGEMENT
`(FULM) APPLICATION 352
`SINGLE-SIGN-ON
`PROTOCOL SERVICE
`(SPS) 354
`
`TRUST PROXY (TP)
`(TRUST SERVICE) 344
`
`SECURITY TOKEN
`SERVICE (STS) 346
`CE (STS)
`
`DENTITY AND
`ATTRIBUTE SERVICE
`(IAS) 356
`
`ERVE
`APPLICA"gs
`RS
`
`PROTECTED RESOURCES
`335
`
`LEGACY
`USER
`ENTERPRISE
`USER
`REGISTRY BSSSIN
`338
`336
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DIRECT TRUST
`
`
`
`504
`
`-
`
`FEDERATED
`RELATIONSHIP DOMAINY Trus Roxy
`FEDERATED
`DOMAINX
`502
`
`TRUST PROXY
`
`BROKERED
`TRUST
`RELATIONSHIP
`
`DIRECT TRUST
`RELATIONSHIP
`
`
`
`RUST BROKER
`520
`--
`
`FEDERATED
`DOMAINZ TRUST PROXY
`506
`512
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DIRECT TRUST
`RELATIONSHIP
`
`518
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 8 of 42 PageID #: 91
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 5 of 14
`
`US 7,631,346 B2
`
`USER 600
`
`ENTERPRISE A 610
`
`POINT-OF-CONTACT
`(POC) SERVER 612
`
`TRUST PROXY (TP) 614
`
`
`
`
`
`
`
`
`
`ENTERPRISE B 620
`
`ENTERPRISEC 630
`
`POC SERVER 622
`
`POC SERVER 632
`
`FIG 6 TRUST BROKER 650
`
`FIREWALL
`
`FREWALL
`
`PROTECTED
`EXTERNAL DMZ
`-- RESOURCES 706
`
`
`
`
`
`
`
`REOUESTS
`730
`
`POINT-OF-CONTACT
`(POC) SERVER 702
`
`APPLICATION SERVERS
`704
`
`RECUESS FOR
`PROTECTED
`RESOURCES
`732
`o
`
`FULM REOUESTS
`734
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ENTERPRSE
`USER
`REGISTRY
`722
`
`
`
`
`
`
`
`
`
`
`
`
`
`FEDERATED USER LIFECYCLE MANAGEMENT (FULM)
`APPLICATIONISERVICE 708
`
`FEDERATIONUSERREGISTRY 720
`
`DENTITY AND
`SINGLE-SIGN-ON
`PROTOCOL SERVICE ATRIBUTE SERVICE
`(SPS) 716
`(I&AS) 718
`
`FIG. 7
`
`
`
`TRUST
`SERVICE
`714
`
`FULM PLUG-INS
`724
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 9 of 42 PageID #: 92
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 6 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`me
`
`SERVICE
`PROVIDER
`
`IDENTITY
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER HAS PREVIOUSLY ESTABLISHED ACCOUNT WITHSP
`
`802
`
`
`
`USER HAS VALID (AUTHENTICATED) SESSION WITH IdP
`
`804
`
`OFFERLINKS TO FEDERATED RESOURCES
`
`SELECT OPERATION WITH FEDERATED RESOURCE
`AT KNOWN SERVICE PROVIDERS
`
`BUILD SSO REOUEST 810
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`
`
`814 HTTP REQUEST (REDIRECTED) FOR RESOURCEACCESS
`
`PROCESS SSO REOUEST LD
`
`PROCESS RESOURCE ACCESS D
`
`HTTP REDIRECT WITH RESPONSE
`
`TYPICAL SINGLE-SIGN-ON OPERATION
`(INITIATED BY IDENTITY PROVIDER - USER PREVIOUSLY PROVISIONEDATSP)
`FIG. 8
`(PRIOR ART)
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 10 of 42 PageID #: 93
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 7 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`! TIME
`
`SERVICE
`PROVIDER
`
`DENTITY
`PROVIDER
`
`USER HAS VALID (AUTHENTICATED) SESSION WITH idP
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`OFFERLINKS TO RESOURCES AT FEDERATED SERVICE PROVIDERS
`
`904
`
`
`
`906
`
`SELECT OPERATION TO ACCESS RESOURCE AT SP
`
`PERFORM do-SIDE ALAS CREATION IF USER IS NOT FEDERATED 908
`
`BUILD SSO REOUEST 910
`
`C.
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`912
`
`
`
`914 HTTP REQUEST (REDIRECT) FOR RESOURCEACCESS
`
`PROCESS SSO RECUEST LD
`
`USER IS NOT FEDERATED, SO CREATE NEW ACCOUNT FOR
`USER WITH ALIAS INFORMATION THAT IS PROVIDED BY lip
`
`PROCESS RESOURCE ACCESS LD
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`PUSH-TYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(USER NOT PREVIOUSLY PROVISIONEDATSP)
`FIG. 9A
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 11 of 42 PageID #: 94
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 8 of 14
`
`US 7,631,346 B2
`
`me
`
`SERVICE
`
`PROVIDER
`
`IDENTITY
`
`PROVIDER
`
`
`
`USER HAS VALID (AUTHENTICATED) SESSION WITHldP
`
`902
`
`OFFERLINKS TO RESOURCES AT FEDERATED SERVICE PROVIDERS
`
`906
`
`SELECT OPERATION TO ACCESS RESOURCE AT SP
`
`PERFORM lop-SDE ALAS CREATION IF USER IS NOT FEDERATED 908
`
`C
`
`BUILD SSO REOUEST 910
`
`C.
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`912
`
`914 HTTP REQUEST (REDIRECT) FOR RESOURCE ACCESS
`
`PROCESS SSO RECUEST
`
`USER DOES NOT HAVE ACCOUNT;
`SSO RECUEST DOES NOT INCLUDE ALL REQUIRED ATTRIBUTES
`
`HTTP REDIRECT FOR ADDITIONAL USER AT TRIBUTES
`
`932
`
`934 HTTP REQUEST (REDIRECT) WITHATTRIBUTE REQUEST
`
`916
`
`93O
`
`BUILD ATTRIBUTE RESPONSE 936
`
`C
`
`HTTP REDIRECT WITH ATTRIBUTE RESPONSE
`
`938
`
`940 HTTP REGUEST FOR REDIRECTED UR WITHAT TRIBUTES
`
`BUILD USER ACCOUNT WITH ATRBUTES ANDALIAS LD
`
`PROCESS RESOURCE ACCESS LD
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`PUSH-TYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(ADDITIONAL PULLING OF USERATTRIBUTES BY SP FROM IDP)
`FIG. 9B
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 12 of 42 PageID #: 95
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 9 of 14
`
`US 7,631,346 B2
`
`
`
`l TIME
`
`SERVICE
`PROVIDER
`
`DENTITY
`PROVIDER
`
`USER BROWSES PUBLIC RESOURCESAT dR
`
`
`
`952
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ldP REOURES AUTHENTICATED SESSION
`
`PERFORM Ido-SIDE ALAS CREATION IF USERS NOT FEDERATED
`
`962
`
`
`
`BUILD PUSH-TYPESSOREOUEST
`
`964
`
`C
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`966
`
`968 HTTP REQUEST (REDIRECT) FOR RESOURCEACCESS
`
`PROCESS SSO RESPONSE LD
`
`USER IS NOT FEDERATED, SO CREATE ORATTEMPT TO CREATE
`NEW ACCOUNT FOR USER WITH ALAS INFORMATION
`THAT IS PROVIDED BY ICP
`
`SSO RESPONSE DOES NOT INCLUDE ALL REOURED USER
`ATTRIBUTES FOR ACCOUNT CREATION OR TO COMPLETEACCOUNT
`CREATION
`
`PUSH-TYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(ADDITIONAL PULLING OF USER AT TRIBUTES BYSP FROMIDP)
`FIG. 9C
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 13 of 42 PageID #: 96
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 10 of 14
`
`US 7,631,346 B2
`
`
`
`CLIENT
`
`TIME
`
`IDENTITY
`SERVICE
`PROVIDER PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HTTP REDIRECT FOR ADDITIONAL USER AT TRIBUTES
`
`978 HTTP REQUEST (REDIRECT) WITHAT TRIBUTE REQUEST
`
`BUILD ATTRIBUTE RESPONSE
`HTTP REDIRECT WITH ATTRIBUTE RESPONSE
`
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT
`WITHATTRIBUTES AND ALAS
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`COMPLETON OF PUSH-TYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(FRONT-CHANNEL USERATTRIBUTE RETRIEVAL BY SP FROM IDP)
`FIG. 9D
`
`
`
`CLIENT
`
`l TIME
`
`
`
`
`
`
`
`
`
`
`
`SOAP RECUEST FOR ADDITIONAL ATTRIBUTES
`
`BUILD ATTRIBUTE RESPONSE
`
`SOAP RESPONSE WITHATTRIBUTE RESPONSE
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT
`WITHATTRIBUTES AND ALAS
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`COMPLETION OF PUSH-TYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(BACK-CHANNEL USERATTRIBUTE RETRIEVAL BY SP FROM IDP)
`FIG. 9E
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 14 of 42 PageID #: 97
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 11 of 14
`
`US 7,631,346 B2
`
`BEGIN
`
`SERVICE PROVIDER
`RECEIVES REGUEST FROM
`IDENTITY PROVIDER TO ACCESS
`PROTECTED RESOURCE BASED ON
`SINGLE-SIGN-ON OPERATION
`10O2
`
`EXTRACT USER DENTIFIER FROM
`RECEIVED REOUEST MESSAGE
`1004
`
`
`
`RECOGNIZE
`USER DENTITY?
`1006
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CREATE ACTIVE SESSION FOR USER
`1024
`
`
`
`
`
`GENERATE RESPONSE BASED ON
`ACCESS TO PROTECTED RESOURCE
`1026
`
`SEND RESPONSE
`TO DENTITY PROVIDER
`1028
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXTRACT ANY USER
`ATTRIBUTES FROM RECEIVED
`RECUEST MESSAGE
`1008
`
`SUFFICENT
`INFORMATION FOR
`PROVISONING USER2
`1010
`
`NO
`
`SEND REQUEST TO
`DENTITY PROVIDER
`TO OBTANUSERATTRIBUTES
`1012
`
`RECEIVE RESPONSE FROM
`IDENTITY PROVIDER WITH
`ADDITIONAL USERATTRIBUTES
`1014
`
`PROVISIONUSER
`AT SERVICE PROVIDER
`1016
`
`SUFFICIENT
`INFORMATION FOR
`AKING USER ACIVET
`1018
`
`UPPER LIMIT
`EXCEEDED?
`
`NO
`
`ERROR HANDLING
`1022
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 15 of 42 PageID #: 98
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 12 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`tive
`
`SERVICE
`PROVIDER
`
`DENTITY
`
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER BROWSES PUBLIC RESOURCESAT SP
`
`USER RECUESTS PROTECTED RESOURCE FOR WHICH
`SP REQUIRESSESSION (AUTHENTICATION)
`
`
`
`SP CANNOT DETERMINE USER'SldP;
`SPASKS USER FOR PREFERRED do
`
`1 104
`
`1106
`
`1108
`
`USER PROVIDES OR SELECTSIDENTIFIER FOR do
`
`BUILDSSO REGUEST FOR USER
`(SPDOES NOT KNOW USER NOT FEDERATED)
`HTTP REDIRECT FOR SSO RECUEST OldP
`1112
`
`
`
`1114 HTTP REQUEST (REDIRECT) WITH SSO REQUEST TOldP
`
`AUTHENTICATE USER, IF RECURED
`
`1116
`
`EVALUATE REQUEST, SPIS NOT REQUESTING
`TO FEDERATE AUSER DENTITY
`
`HTTP REDIRECT WITH SSO RESPONSE
`
`1126
`
`HTTP REQUEST (REDIRECT) FOR SSORESPONSE
`
`PROCESS SSO RESPONSE LD
`
`USER IS NOT FEDERATED, SO CREATE NEW ACCOUNT FOR
`USER WITH ALIAS INFORMATION THAT IS PROVIDED BY dP
`
`PROCESS RESOURCE ACCESS LD
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`PULLTYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER PROVISIONING AT SP
`(USER NOT PREVIOUSLY PROVISIONED ATSP)
`FIG. I. IA
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 16 of 42 PageID #: 99
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 13 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`me
`
`SERVICE
`PROVIDER
`
`IDENTITY
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER BROWSES PUBLIC RESOURCES ASP
`
`1102
`
`USER REOUESTS PROTECTED RESOURCE FOR WHICH
`SP REQUIRESSESSION (AUTHENTICATION)
`
`
`
`SP CANNOT DETERMINE USER'SldP;
`SPASKS USER FOR PREFERRED do
`
`1104
`
`1106
`
`1108
`
`USER PROVIDES OR SELECTSIDENTIFIER FOR do
`
`BUILD SSO REGUEST FOR USER
`(SPDOES NOT KNOW USER NOT FEDERATED)
`HTTP REDIRECT FOR SSO RECQUEST TOldP
`1112
`
`1114 HTTP REQUEST (REDIRECT) WITH SSO REQUEST TOldP
`
`AUTHENTICATE USER, IF REQUIRED
`
`1116
`
`EVALUATE RECQUEST, SPIS NOT REQUESTING
`TO FEDERATE AUSER DENTITY
`
`BUILD PUL-YPESSOREOUEST
`
`HTTP REDIRECT WITH SSO RESPONSE
`
`USER IS NOT FEDERATED, SO CREATE OR ATTEMPT TO CREATE
`NEW ACCOUNT FOR USER WITH ALAS INFORMATION
`THAT IS PROVIDED BY CP
`
`SSO RESPONSE DOES NOT INCLUDE ALL REOURED USER
`ATTRIBUTES FOR ACCOUNT CREATION OR TO COMPLETEACCOUNT
`CREATION
`
`PULLTYPE SINGLE-SIGN-ON OPERATION WITH RUNTIME USER PROVISIONING AT SP
`(REQUIRES ADDITIONAL PULLING OF USERATTRIBUTES BY SP FROMIDP)
`FIG. I. IB
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 17 of 42 PageID #: 100
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 14 of 14
`
`US 7,631,346 B2
`
`
`
`
`
`CLIENT
`
`l ME
`
`SERVICE
`PROVIDER
`
`DENTITY
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`HTTP REDIRECT FOR ADDITIONAL USER AT TRIBUTES
`
`1156 HTTP REQUEST (REDIRECT) WITHAT TRIBUTE REQUEST
`
`BUILD ATTRIBUTE RESPONSE
`HTTP REDIRECT WITH ATTRIBUTE RESPONSE
`
`
`
`1162 HTTP RECUEST FOR REDIRECTED UR WITHATRIBUTES
`
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT LD
`WITHAT TRIBUTES AND ALIAS
`PROCESS RESOURCE ACCESS - D
`HTTP RESPONSE FOR RESOURCE ACCESS
`1134
`
`COMPLETION OF PULL-TYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(FRONT-CHANNEL USER AT TRIBUTE RETRIEVAL BY SP FROMIDP)
`FIG. I IC
`
`
`
`
`
`CLENT
`
`TIME
`
`SERVICE
`PROVIDER
`
`IDENTITY
`PROVIDER
`
`
`
`
`
`SOAP RESPONSE WITHATTRIBUTE RESPONSE
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT
`WITH ATTRIBUTES ANDALAS
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`COMPLETION OF PULLTYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(BACK-CHANNELUSERATTRIBUTE RETRIEVAL BY SP FROMIDP)
`FIG. 1 1D
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 18 of 42 PageID #: 101
`
`US 7,631,346 B2
`
`1.
`METHOD AND SYSTEM FOR A RUNTIME
`USER ACCOUNT CREATION OPERATION
`WITHNA SINGLE-SIGN-ON PROCESS IN A
`FEDERATED COMPUTING ENVIRONMENT
`
`BACKGROUND OF THE INVENTION
`
`2
`tational operations for the users within the federation. For
`example, a federation partner may act as a user's home
`domain or identity provider. Other partners within the same
`federation may rely on the user's identity provider for pri
`mary management of the user's authentication credentials,
`e.g., accepting a single-sign-on token that is provided by the
`user's identity provider.
`As enterprises move to support federated business interac
`tions, these enterprises should provide a user experience that
`reflects the increased cooperation between two businesses. As
`noted above, a user may authenticate to one party that acts as
`an identity provider and then single-sign-on to a federated
`business partner that acts as a service provider. In conjunction
`with single-sign-on functionality, additional user lifecycle
`functionality. Such as single-sign-off, user provisioning, and
`account linking/delinking, should also be Supported.
`Single-sign-on solutions require that a user be identifiable
`in some form or another at both an identity provider and a
`service provider; the identity provider needs to be able to
`identify and authenticate a user, and the service provider
`needs to be able to identify the user based on some form of
`assertion about the user in response to a single-sign-on
`request. Various prior art single-sign-on solutions, e.g., Such
`as those described in the Liberty Alliance ID-FF specifica
`tions, require that a user have an authenticatable account at
`both an identity provider and a service provider as a prereq
`uisite to a federated single-sign-on operation. Some federated
`Solutions Support an a priori user account creation event
`across domains to be used to establish these accounts, thereby
`satisfying a requirement that a user have an authenticatable
`account at both an identity provider and a service provider as
`a prerequisite to a federated single-sign-on operation.
`Although some federated solutions provide a robust set of
`federated user lifecycle management operations. Such as user
`account creation, user account management, user attribute
`management, account Suspension, and account deletion,
`these federated management systems do not provide a light
`weight solution that is suitable for certain federation partners
`or for certain federated purposes.
`Therefore, it would be advantageous to have methods and
`systems in which enterprises can provide comprehensive
`single-sign-on experiences to users in a federated computing
`environment in a lightweight manner that does not require an
`extensive amount of a priori processing.
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`1. Field of the Invention
`The present invention relates to an improved data process
`ing system and, in particular, to a method and apparatus for
`multicomputer data transferring. Still more particularly, the
`present invention is directed to networked computer systems.
`2. Description of Related Art
`Enterprises generally desire to provide authorized users
`with secure access to protected resources in a user-friendly
`manner throughout a variety of networks, including the Inter
`net. Although providing secure authentication mechanisms
`reduces the risks of unauthorized access to protected
`resources, those authentication mechanisms may become
`barriers to accessing protected resources. Users generally
`desire the ability to change from interacting with one appli
`cation to another application without regard to authentication
`barriers that protect each particular system Supporting those
`applications.
`As users get more Sophisticated, they expect that computer
`systems coordinate their actions so that burdens on the user
`are reduced. These types of expectations also apply to authen
`tication processes. A user might assume that once he or she
`has been authenticated by some computer system, the authen
`tication should be valid throughout the user's working ses
`Sion, or at least for a particular period of time, without regard
`to the various computer architecture boundaries that are
`almost invisible to the user. Enterprises generally try to fulfill
`these expectations in the operational characteristics of their
`deployed systems, not only to placate users but also to
`increase user efficiency, whether the user efficiency is related
`to employee productivity or customer satisfaction.
`More specifically, with the current computing environment
`in which many applications have a Web-based user interface
`that is accessible through a common browser, users expect
`more user-friendliness and low or infrequent barriers to
`movement from one Web-based application to another. In this
`context, users are coming to expect the ability to jump from
`interacting with an application on one Internet domain to
`another application on another domain without regard to the
`authentication barriers that protect each particular domain.
`However, even ifmany systems provide secure authentication
`through easy-to-use, Web-based interfaces, a user may still be
`forced to reckon with multiple authentication processes that
`stymie user access across a set of domains. Subjecting a user
`to multiple authentication processes in a given time frame
`may significantly affect the user's efficiency.
`For example, various techniques have been used to reduce
`authentication burdens on users and computer system admin
`istrators. These techniques are generally described as “single
`sign-on' (SSO) processes because they have a common pur
`pose: after a user has completed a sign-on operation, i.e. been
`authenticated, the user is Subsequently not required to per
`form another authentication operation. Hence, the goal is that
`the user would be required to complete only one authentica
`tion process during a particular user session.
`To reduce the costs of user management and to improve
`interoperability among enterprises, federated computing
`spaces have been created. A federation is a loosely coupled
`affiliation of enterprises which adhere to certain standards of
`interoperability; the federation provides a mechanism for
`trust among those enterprises with respect to certain compu
`
`50
`
`55
`
`60
`
`65
`
`SUMMARY OF THE INVENTION
`
`A method, system, apparatus, and computer program prod
`uct are presented to support computing systems of different
`enterprises that interact within a federated computing envi
`ronment. Federated single-sign-on operations can be initiated
`at the computing systems of federation partners on behalf of
`a user even though the user has not established a user account
`at a federation partner prior to the initiation of the single-sign
`on operation. For example, an identity provider can initiate a
`single-sign-on operation at a service provider while attempt
`ing to obtain access to a controlled resource on behalf of a
`user. When the service provider recognizes that it does not
`have a linked user account for the user that allows a single
`sign-on operation from the identity provider, the service pro
`vider creates a local user account based at least in part on
`information from the identity provider. The service provider
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 19 of 42 PageID #: 102
`
`3
`can also pull user attributes from the identity provider as
`necessary to perform the user account creation operation.
`
`US 7,631,346 B2
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`10
`
`15
`
`25
`
`30
`
`35
`
`The novel features believed characteristic of the invention
`are set forth in the appended claims. The invention itself,
`further objectives, and advantages thereof, will be best under
`stood by reference to the following detailed description when
`read in conjunction with the accompanying drawings,
`wherein:
`FIG. 1A depicts a typical network of data processing sys
`tems, each of which may implement the present invention;
`FIG. 1B depicts a typical computer architecture that may
`be used within a data processing system in which the present
`invention may be implemented;
`FIG. 1C depicts a data flow diagram that illustrates a typi
`cal authentication process that may be used when a client
`attempts to access a protected resource at a server,
`FIG. 1D depicts a network diagram that illustrates a typical
`Web-based environment in which the present invention may
`be implemented;
`FIG. 1E depicts a block diagram that illustrates an example
`of a typical online transaction that might require multiple
`authentication operations from a user,
`FIG. 2 depicts a block diagram that illustrates the termi
`nology of the federated environment with respect to a trans
`action that is initiated by a user to a first federated enterprise,
`which, in response, invokes actions at downstream entities
`within the federated environment;
`FIG.3 depicts a block diagram that illustrates the integra
`tion of pre-existing data processing systems at a given domain
`with some federated architecture components that may be
`used to support an embodiment of the present invention;
`FIG. 4 depicts a block diagram that illustrates an example
`of a manner in which some components within a federated
`architecture may be used to establish trust relationships to
`Support an implementation of the present invention;
`FIG. 5 depicts a block diagram that illustrates an exem
`40
`plary set of trust relationships between federated domains
`using trust proxies and a trust broker in accordance with an
`exemplary federated architecture that is able to support the
`present invention;
`FIG. 6 depicts a block diagram that illustrates a federated
`environment that Supports federated single-sign-on opera
`tions;
`FIG. 7 depicts a block diagram that illustrates some of the
`components in a federated domain for implementing feder
`ated user lifecycle management functionality in order to Sup
`port the present invention;
`FIG. 8 depicts a dataflow diagram that shows a typical prior
`art HTTP-redirection-based single-sign-on operation that is
`initiated by a federated identity provider to obtain access to a
`protected resource at a federated service provider;
`FIGS. 9A-9B depicts dataflow diagrams that show an
`HTTP-redirection-based single-sign-on operation that is ini
`tiated by a federated identity provider to obtain access to a
`protected resource at a federated service provider while per
`forming a runtime linked-user-account creation operation at
`the federated service provider in accordance with an embodi
`ment of the present invention;
`FIGS. 9C-9E depict dataflow diagrams that show an
`HTTP-redirection-based single-sign-on operation that is ini
`tiated by a federated identity provider to obtain access to a
`protected resource at a federated service provider with alter
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`native methods for obtaining user attributes by the federated
`service provider in accordance with an embodiment of the
`present invention;
`FIG. 10 depicts a flowchart that shows a more detailed
`process for performing a runtime linked-user-account cre
`ation operation at a service provider during a single-sign-on
`operation that has been initiated by an identity provider;
`FIG. 11A depicts a dataflow diagram that shows an HTTP
`redirection-based pull-type single-sign-on operation that is
`initiated by a federated service provider to allow access to a
`protected resource at the federated service provider while
`performing a runtime linked-user-account creation operation
`at the federated service provider in accordance with an
`embodiment of the present invention; and
`FIGS. 11B-11D depictaset of dataflow diagrams that show
`an HTTP-redirection-based pull-type single-sign-on opera
`tion that is initiated by a federated service provider to allow
`access to a protected resource at the federated service pro
`vider with additional retrieval of user attribute information
`from a federated identity provider while performing a runt
`ime linked-user-account creation operation at the federated
`service provider in accordance with an embodiment of the
`present invention.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`In general, the devices that may comprise or relate to the
`present invention include a wide variety of data processing
`technology. Therefore, as background, a typical organization
`of hardware and software components within a distributed
`data processing system is described prior to describing the
`present invention in more detail.
`With reference now to the figures, FIG.1.A depicts atypical
`network of data processing systems, each of which may
`implement the present invention. Distributed data processing
`system 100 contains network 101, which is a medium that
`may be used to provide communications links between vari
`ous devices and computers connected together within distrib
`uted data processing system 100. Network 101 may include
`permanent connections, such as wire or fiber optic cables, or
`temporary connections made through telephone or wireless
`communications. In the depicted example, server 102 and
`server 103 are connected to network 101 along with storage
`unit 104. In addition, clients 105-107 also are connected to
`network 101. Clients 105-107 and servers 102-103 may be
`represented by a variety of computing devices, such as main
`frames, personal computers, personal digital assistants
`(PDAs), etc. Distributed data processing system 100 may
`include additional servers, clients, routers, other devices, and
`peer-to-peer architectures that are not shown.
`In the depicted example, distributed data processing sys
`tem 100 may include the Internet with network 101 represent
`ing a worldwide collection of networks and gateways that use
`various protocols to communicate with one another, Such as
`LDAP (Lightweight Directory Access Protocol), TCP/IP
`(Transport Control Protocol/Internet Protocol), HTTP (Hy
`perText Transport Protocol), etc. Of course, distributed data
`processing system 100 may also include a number of different
`types of networks, such as, for example, an intranet, a local
`area network (LAN), or a wide area network (WAN). For
`example, server 102 directly supports client 109 and network
`110, which incorporates wireless communication links. Net
`work-enabled phone 111 connects