throbber
Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 1 of 42 PageID #: 84
`
`Exhibit C
`
`
`
`
`
`
`
`
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 2 of 42 PageID #: 85
`
`USOO763 1346 B2
`
`(12) United States Patent
`Hinton et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7,631,346 B2
`Dec. 8, 2009
`
`2004/0205176 A1* 10/2004 Ting et al. ................... 709,223
`(54) METHOD AND SYSTEM FOR A RUNTIME
`2005/0074126 A1* 4/2005 Stanko ....................... 380,279
`USER ACCOUNT CREATION OPERATION
`ERSENSSN 2005/0210270 A1* 9/2005 Rohatgiet al. .............. T13, 186
`2005/0240763 A9 10/2005 Bhat et al. .................. T13/169
`2005/02571.30 A1* 11/2005 Ito .......................... T15,500.1
`2006/0048213 A1* 3/2006 Cheng et al. ................... 726/5
`
`(75) Inventors: Heather Maria Hinton, Austin, TX
`(US); Ivan Matthew Milman, Austin,
`TX (US); Venkat Raghavan, Austin, TX
`(US); Shane Bradley Weeden, Gold
`Coast (AU)
`(73) Assignee: International Business Machines
`Corporation, Armonk, NY (US)
`
`- r
`(*) Notice:
`
`tO E. site th still
`Sibi
`patent 1s extended or adjusted under
`U.S.C. 154(b) by 827 days.
`
`(21) Appl. No.: 11/097.587
`(22) Filed:
`Apr. 1, 2005
`
`(65)
`
`Prior Publication Data
`US 2006/0236382 A1
`Oct. 19, 2006
`
`(Continued)
`OTHER PUBLICATIONS
`Gross, T.; Security analysis of the SAML single sign-on browser?
`artifact profile; Publication Date: Dec. 8-12, 2003; IBM Zurich Res.
`Lab: On pp. 298-307.*
`ap; Un pp
`Primary Examiner Kambiz Zand
`Assistant Examiner—Monjour Rahim
`(74) Attorney, Agent, or Firm Jeffrey S. LaBaw: David H.
`Judson
`
`(57)
`
`ABSTRACT
`
`- - - - - - - - - - - - - - - - - - - - -
`
`s
`
`t
`
`t
`
`rt
`
`tOt
`
`t1at
`
`t
`
`W YY
`
`(51) Int. Cl.
`A method, system, apparatus, and computer program product
`(2006.01)
`G06F 7/04
`are presented to Support computing systems of different
`get 6. 6 C
`enterprises that interact within a federated computing envi
`G06F 7/30
`2OO 6. O :
`ronment. Federated single-sign-on operations can be initiated
`at the computing systems of federation partners on behalf of
`(52) U.S. Cl. ........................................... 726/8; 380/279
`though th
`h
`testablished
`t
`(58) Field of Classification Search
`726/6, E.
`713/186, 169; 380/279; 715/500
`in operation.
`mple,
`nuty pro
`See application file for complete search history.
`single-sign-on operation at a service provider while attempt
`ing to obtain access to a controlled resource on behalf of a
`user. When the service provider recognizes that it does not
`have a linked user account for the user that allows for a
`single-sign-on operation with the identity provider, the Ser
`Vice provider creates a local user account. The service pro
`vider can also pull user attributes from the identity provideras
`necessary to perform the user account creation operation.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`7,290,278 B2 * 10/2007 Cahill et al. ................... T26.6
`2003. O149781 A1
`8, 2003 Yared et al.
`2003/0154266 A1* 8, 2003 Bobicket al. ............... 709,223
`2004/0010607 A1
`1/2004 Lee et al. .................... 709,229
`2004/015874.6 A1* 8, 2004 Hu et al. ..................... T13/202
`
`20 Claims, 14 Drawing Sheets
`
`CLIENT DEVICE 34.
`browser APPLICATION 316
`MLINTERPrTER 322
`Weservices clNT 324
`
`HTTP 32.
`
`Ther
`APPS
`3.18
`
`
`
`
`
`oracNFront-No
`for NTERPrsioMAIN 34
`point-of-coNTACT Poc server 342
`
`federATIONCONFIGURATION APPL 348
`
`FederAton mtRFAce UNT 3.5
`
`FEDERATIONUSERREGISTRY 358
`
`FEERATE USERLIFECYCEMANAGEMEN
`(FULM) APPLICATION 352
`SINGLE-SIGN-ON
`RiccLSERVCE
`(SPS354
`
`TRUST PROxy(TP)
`(truSTSERVICE) 344
`
`SCURITY TOKEN
`SERVICESTs) 346
`
`ENTY AN
`Attribute service
`(IAS). 356
`
`ACYAPCAINS or
`ACK-NPROCESSING FOR
`NTrprised MAN
`33
`
`AUTENCAINSERWCE
`runtiME (ASRSErwers
`332
`
`ApplicAtomiserwers
`334
`
`protected resources
`335
`
`Nterprise
`USER
`registry
`338
`
`ESACY
`USER
`RSTRATION
`APPLICATON
`336
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 3 of 42 PageID #: 86
`
`US 7,631,346 B2
`Page 2
`
`U.S. PATENT DOCUMENTS
`2006/0059544 A1
`3f2006 Guthrie et al. ................. T26/4
`2006/0195893 A1* 8, 2006 Caceres et al. ................. T26.8
`
`2007/0005730 A1
`
`1/2007 Torvinen et al. ............ TO9,219
`
`* cited by examiner
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 4 of 42 PageID #: 87
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 1 of 14
`
`US 7,631,346 B2
`
`100 y
`
`109
`
`assists,
`CLENT
`
`Syst
`CLIENT
`
`N th-9
`
`116
`
`PERSONAL
`DIGITAL ASSISTANT
`
`" FIG. A
`%.
`" ? s Eise,
`
`DIGITAL ASSISTANT
`
`(PRIOR ART)
`
`
`
`-u 111
`
`WRELESS
`PHONE
`
`120 122
`\
`
`CPU
`
`DISPLAY
`ADAPTER
`
`146
`
`123
`
`144
`
`DISPLAY
`
`USER INTERFACE
`ADAPTER
`
`148
`
`130
`
`126
`
`-
`-2
`PRINTER
`C D
`
`128
`
`/O ADAPTER
`
`
`
`142
`
`YY
`U
`MOUSE
`
`134
`
`132
`
`COMMUNICATION
`ADAPTER
`
`KEYBOARD
`
`136
`
`COMMUNICATION
`LINK
`
`FIG. IB
`(PRIOR ART)
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 5 of 42 PageID #: 88
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 2 of 14
`
`US 7,631,346 B2
`
`i
`
`TYPICALUSER
`M
`E
`EY AUTHENTICATION
`
`USER REQUESTSWEB
`PAGE AT IBM.COM
`152 -
`wo
`
`:
`
`HTTP REQUEST
`HIPREous
`
`:
`153
`c >
`155
`
`IBM.COM
`
`NODENTITY
`NFORMATION
`AVAILABLE
`154
`
`USER/CLIENT
`PROVIDES INFORMATION:
`157
`
`USER REQUESTS
`ANOTHER WEBPAGE
`AT IBM.COM
`161
`
`ESTABLISHSSL SESSION
`
`156
`AUTHENTICATION CHALLENGE 2
`8
`158
`AUTHENTICATION RESPONSE 2
`160
`2
`
`HTTP RESPONSE
`
`i
`162
`2
`
`164:
`
`EST
`HTTP REOUES
`
`HTTP RESPONSE
`
`FIG. IC
`(PRIOR ART)
`
`CLIENT
`
`SERVER
`AUTHENTICATES
`USERICLENT
`
`
`
`lies occer in --
`SSLSESSION ID="F"
`:
`
`
`
`
`
`
`
`
`
`
`
`SERVER
`
`SERVER
`
`SERVER
`
`t
`
`WEB APPLICATION
`SERVER
`
`
`
`DNS DOMAIN 1
`173
`
`
`
`
`
`DNS DOMAN 2
`175
`
`(PRIOR ART)
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 6 of 42 PageID #: 89
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 3 of 14
`
`US 7,631,346 B2
`
`AM
`196
`so
`
`BANKING
`DOMAIN
`195
`
`ISP DOMAIN 191
`
`AUTHENTICATION
`MANAGER (AM)
`
`-
`
`E-COMMERCE
`DOMAIN
`197
`
`GOVERNMENT
`DOMAN
`193
`
`FIG. IE
`(PRIOR ART)
`
`
`
`
`
`ENTERPRISE A
`204
`HOME DOMAIN/
`DENTITY PROVIDER
`
`
`
`ISSUNG DOMAN
`
`
`
`FIG. 2
`
`ENTERPRISEB
`2O6
`
`ENTERPRSEC
`208
`
`RELYING DOMAIN
`SERVICE PROVIDER
`
`
`
`ISSUNG DOMAIN
`
`RELYING DOMAIN
`
`
`
`
`
`
`
`
`
`ENERPRISE A
`410
`
`POINT-OF-CONTACT
`(POC) SERVER
`412
`
`SECURITY
`TOKEN
`SERVICE
`(STS)
`416
`
`TRUST PROXY (TP)
`(TRUST SERVICE)
`414
`
`ENTERPRISE B 420
`
`POC SERVER
`422
`
`TRUST
`SERVICE
`424
`
`TRUST BROKER
`430
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 7 of 42 PageID #: 90
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 4 of 14
`
`US 7,631,346 B2
`
`FIG. 3
`
`CLIENT DEVICE 314
`BROWSER APPLICATION 316
`ML INTERPRETER 322
`WEBSERVICES CLIENT 324
`
`HTTP 320
`
`FEDERAON FRONT-END
`FOR ENTERPRISE/DOMAIN 340
`
`POINT-OF-CONTACT (POC) SERVER 342
`
`FEDERATION CONFIGURATION APPL. 348
`
`FEDERATION INTERFACE UNIT 350
`
`FEDERATIONUSERREGISTRY 358
`
`LEGACY APPLICATIONS OR
`BACK-END PROCESSING FOR
`ENTERPRISE/DOMAIN
`330
`
`AUTHENTICATION SERVICE
`RUNTIME SF) SERVERS
`
`FEDERATED USER LIFECYCLE MANAGEMENT
`(FULM) APPLICATION 352
`SINGLE-SIGN-ON
`PROTOCOL SERVICE
`(SPS) 354
`
`TRUST PROXY (TP)
`(TRUST SERVICE) 344
`
`SECURITY TOKEN
`SERVICE (STS) 346
`CE (STS)
`
`DENTITY AND
`ATTRIBUTE SERVICE
`(IAS) 356
`
`ERVE
`APPLICA"gs
`RS
`
`PROTECTED RESOURCES
`335
`
`LEGACY
`USER
`ENTERPRISE
`USER
`REGISTRY BSSSIN
`338
`336
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DIRECT TRUST
`
`
`
`504
`
`-
`
`FEDERATED
`RELATIONSHIP DOMAINY Trus Roxy
`FEDERATED
`DOMAINX
`502
`
`TRUST PROXY
`
`BROKERED
`TRUST
`RELATIONSHIP
`
`DIRECT TRUST
`RELATIONSHIP
`
`
`
`RUST BROKER
`520
`--
`
`FEDERATED
`DOMAINZ TRUST PROXY
`506
`512
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DIRECT TRUST
`RELATIONSHIP
`
`518
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 8 of 42 PageID #: 91
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 5 of 14
`
`US 7,631,346 B2
`
`USER 600
`
`ENTERPRISE A 610
`
`POINT-OF-CONTACT
`(POC) SERVER 612
`
`TRUST PROXY (TP) 614
`
`
`
`
`
`
`
`
`
`ENTERPRISE B 620
`
`ENTERPRISEC 630
`
`POC SERVER 622
`
`POC SERVER 632
`
`FIG 6 TRUST BROKER 650
`
`FIREWALL
`
`FREWALL
`
`PROTECTED
`EXTERNAL DMZ
`-- RESOURCES 706
`
`
`
`
`
`
`
`REOUESTS
`730
`
`POINT-OF-CONTACT
`(POC) SERVER 702
`
`APPLICATION SERVERS
`704
`
`RECUESS FOR
`PROTECTED
`RESOURCES
`732
`o
`
`FULM REOUESTS
`734
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ENTERPRSE
`USER
`REGISTRY
`722
`
`
`
`
`
`
`
`
`
`
`
`
`
`FEDERATED USER LIFECYCLE MANAGEMENT (FULM)
`APPLICATIONISERVICE 708
`
`FEDERATIONUSERREGISTRY 720
`
`DENTITY AND
`SINGLE-SIGN-ON
`PROTOCOL SERVICE ATRIBUTE SERVICE
`(SPS) 716
`(I&AS) 718
`
`FIG. 7
`
`
`
`TRUST
`SERVICE
`714
`
`FULM PLUG-INS
`724
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 9 of 42 PageID #: 92
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 6 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`me
`
`SERVICE
`PROVIDER
`
`IDENTITY
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER HAS PREVIOUSLY ESTABLISHED ACCOUNT WITHSP
`
`802
`
`
`
`USER HAS VALID (AUTHENTICATED) SESSION WITH IdP
`
`804
`
`OFFERLINKS TO FEDERATED RESOURCES
`
`SELECT OPERATION WITH FEDERATED RESOURCE
`AT KNOWN SERVICE PROVIDERS
`
`BUILD SSO REOUEST 810
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`
`
`814 HTTP REQUEST (REDIRECTED) FOR RESOURCEACCESS
`
`PROCESS SSO REOUEST LD
`
`PROCESS RESOURCE ACCESS D
`
`HTTP REDIRECT WITH RESPONSE
`
`TYPICAL SINGLE-SIGN-ON OPERATION
`(INITIATED BY IDENTITY PROVIDER - USER PREVIOUSLY PROVISIONEDATSP)
`FIG. 8
`(PRIOR ART)
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 10 of 42 PageID #: 93
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 7 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`! TIME
`
`SERVICE
`PROVIDER
`
`DENTITY
`PROVIDER
`
`USER HAS VALID (AUTHENTICATED) SESSION WITH idP
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`OFFERLINKS TO RESOURCES AT FEDERATED SERVICE PROVIDERS
`
`904
`
`
`
`906
`
`SELECT OPERATION TO ACCESS RESOURCE AT SP
`
`PERFORM do-SIDE ALAS CREATION IF USER IS NOT FEDERATED 908
`
`BUILD SSO REOUEST 910
`
`C.
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`912
`
`
`
`914 HTTP REQUEST (REDIRECT) FOR RESOURCEACCESS
`
`PROCESS SSO RECUEST LD
`
`USER IS NOT FEDERATED, SO CREATE NEW ACCOUNT FOR
`USER WITH ALIAS INFORMATION THAT IS PROVIDED BY lip
`
`PROCESS RESOURCE ACCESS LD
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`PUSH-TYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(USER NOT PREVIOUSLY PROVISIONEDATSP)
`FIG. 9A
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 11 of 42 PageID #: 94
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 8 of 14
`
`US 7,631,346 B2
`
`me
`
`SERVICE
`
`PROVIDER
`
`IDENTITY
`
`PROVIDER
`
`
`
`USER HAS VALID (AUTHENTICATED) SESSION WITHldP
`
`902
`
`OFFERLINKS TO RESOURCES AT FEDERATED SERVICE PROVIDERS
`
`906
`
`SELECT OPERATION TO ACCESS RESOURCE AT SP
`
`PERFORM lop-SDE ALAS CREATION IF USER IS NOT FEDERATED 908
`
`C
`
`BUILD SSO REOUEST 910
`
`C.
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`912
`
`914 HTTP REQUEST (REDIRECT) FOR RESOURCE ACCESS
`
`PROCESS SSO RECUEST
`
`USER DOES NOT HAVE ACCOUNT;
`SSO RECUEST DOES NOT INCLUDE ALL REQUIRED ATTRIBUTES
`
`HTTP REDIRECT FOR ADDITIONAL USER AT TRIBUTES
`
`932
`
`934 HTTP REQUEST (REDIRECT) WITHATTRIBUTE REQUEST
`
`916
`
`93O
`
`BUILD ATTRIBUTE RESPONSE 936
`
`C
`
`HTTP REDIRECT WITH ATTRIBUTE RESPONSE
`
`938
`
`940 HTTP REGUEST FOR REDIRECTED UR WITHAT TRIBUTES
`
`BUILD USER ACCOUNT WITH ATRBUTES ANDALIAS LD
`
`PROCESS RESOURCE ACCESS LD
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`PUSH-TYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(ADDITIONAL PULLING OF USERATTRIBUTES BY SP FROM IDP)
`FIG. 9B
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 12 of 42 PageID #: 95
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 9 of 14
`
`US 7,631,346 B2
`
`
`
`l TIME
`
`SERVICE
`PROVIDER
`
`DENTITY
`PROVIDER
`
`USER BROWSES PUBLIC RESOURCESAT dR
`
`
`
`952
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ldP REOURES AUTHENTICATED SESSION
`
`PERFORM Ido-SIDE ALAS CREATION IF USERS NOT FEDERATED
`
`962
`
`
`
`BUILD PUSH-TYPESSOREOUEST
`
`964
`
`C
`
`HTTP REDIRECT WITH SSO FOR ACCESSING RESOURCE
`
`966
`
`968 HTTP REQUEST (REDIRECT) FOR RESOURCEACCESS
`
`PROCESS SSO RESPONSE LD
`
`USER IS NOT FEDERATED, SO CREATE ORATTEMPT TO CREATE
`NEW ACCOUNT FOR USER WITH ALAS INFORMATION
`THAT IS PROVIDED BY ICP
`
`SSO RESPONSE DOES NOT INCLUDE ALL REOURED USER
`ATTRIBUTES FOR ACCOUNT CREATION OR TO COMPLETEACCOUNT
`CREATION
`
`PUSH-TYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(ADDITIONAL PULLING OF USER AT TRIBUTES BYSP FROMIDP)
`FIG. 9C
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 13 of 42 PageID #: 96
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 10 of 14
`
`US 7,631,346 B2
`
`
`
`CLIENT
`
`TIME
`
`IDENTITY
`SERVICE
`PROVIDER PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HTTP REDIRECT FOR ADDITIONAL USER AT TRIBUTES
`
`978 HTTP REQUEST (REDIRECT) WITHAT TRIBUTE REQUEST
`
`BUILD ATTRIBUTE RESPONSE
`HTTP REDIRECT WITH ATTRIBUTE RESPONSE
`
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT
`WITHATTRIBUTES AND ALAS
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`COMPLETON OF PUSH-TYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(FRONT-CHANNEL USERATTRIBUTE RETRIEVAL BY SP FROM IDP)
`FIG. 9D
`
`
`
`CLIENT
`
`l TIME
`
`
`
`
`
`
`
`
`
`
`
`SOAP RECUEST FOR ADDITIONAL ATTRIBUTES
`
`BUILD ATTRIBUTE RESPONSE
`
`SOAP RESPONSE WITHATTRIBUTE RESPONSE
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT
`WITHATTRIBUTES AND ALAS
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`COMPLETION OF PUSH-TYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(BACK-CHANNEL USERATTRIBUTE RETRIEVAL BY SP FROM IDP)
`FIG. 9E
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 14 of 42 PageID #: 97
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 11 of 14
`
`US 7,631,346 B2
`
`BEGIN
`
`SERVICE PROVIDER
`RECEIVES REGUEST FROM
`IDENTITY PROVIDER TO ACCESS
`PROTECTED RESOURCE BASED ON
`SINGLE-SIGN-ON OPERATION
`10O2
`
`EXTRACT USER DENTIFIER FROM
`RECEIVED REOUEST MESSAGE
`1004
`
`
`
`RECOGNIZE
`USER DENTITY?
`1006
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`CREATE ACTIVE SESSION FOR USER
`1024
`
`
`
`
`
`GENERATE RESPONSE BASED ON
`ACCESS TO PROTECTED RESOURCE
`1026
`
`SEND RESPONSE
`TO DENTITY PROVIDER
`1028
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXTRACT ANY USER
`ATTRIBUTES FROM RECEIVED
`RECUEST MESSAGE
`1008
`
`SUFFICENT
`INFORMATION FOR
`PROVISONING USER2
`1010
`
`NO
`
`SEND REQUEST TO
`DENTITY PROVIDER
`TO OBTANUSERATTRIBUTES
`1012
`
`RECEIVE RESPONSE FROM
`IDENTITY PROVIDER WITH
`ADDITIONAL USERATTRIBUTES
`1014
`
`PROVISIONUSER
`AT SERVICE PROVIDER
`1016
`
`SUFFICIENT
`INFORMATION FOR
`AKING USER ACIVET
`1018
`
`UPPER LIMIT
`EXCEEDED?
`
`NO
`
`ERROR HANDLING
`1022
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 15 of 42 PageID #: 98
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 12 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`tive
`
`SERVICE
`PROVIDER
`
`DENTITY
`
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER BROWSES PUBLIC RESOURCESAT SP
`
`USER RECUESTS PROTECTED RESOURCE FOR WHICH
`SP REQUIRESSESSION (AUTHENTICATION)
`
`
`
`SP CANNOT DETERMINE USER'SldP;
`SPASKS USER FOR PREFERRED do
`
`1 104
`
`1106
`
`1108
`
`USER PROVIDES OR SELECTSIDENTIFIER FOR do
`
`BUILDSSO REGUEST FOR USER
`(SPDOES NOT KNOW USER NOT FEDERATED)
`HTTP REDIRECT FOR SSO RECUEST OldP
`1112
`
`
`
`1114 HTTP REQUEST (REDIRECT) WITH SSO REQUEST TOldP
`
`AUTHENTICATE USER, IF RECURED
`
`1116
`
`EVALUATE REQUEST, SPIS NOT REQUESTING
`TO FEDERATE AUSER DENTITY
`
`HTTP REDIRECT WITH SSO RESPONSE
`
`1126
`
`HTTP REQUEST (REDIRECT) FOR SSORESPONSE
`
`PROCESS SSO RESPONSE LD
`
`USER IS NOT FEDERATED, SO CREATE NEW ACCOUNT FOR
`USER WITH ALIAS INFORMATION THAT IS PROVIDED BY dP
`
`PROCESS RESOURCE ACCESS LD
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`PULLTYPE SINGLE-SIGNON OPERATION WITH RUNTIME USER PROVISIONING AT SP
`(USER NOT PREVIOUSLY PROVISIONED ATSP)
`FIG. I. IA
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 16 of 42 PageID #: 99
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 13 of 14
`
`US 7,631,346 B2
`
`CLIENT
`
`me
`
`SERVICE
`PROVIDER
`
`IDENTITY
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USER BROWSES PUBLIC RESOURCES ASP
`
`1102
`
`USER REOUESTS PROTECTED RESOURCE FOR WHICH
`SP REQUIRESSESSION (AUTHENTICATION)
`
`
`
`SP CANNOT DETERMINE USER'SldP;
`SPASKS USER FOR PREFERRED do
`
`1104
`
`1106
`
`1108
`
`USER PROVIDES OR SELECTSIDENTIFIER FOR do
`
`BUILD SSO REGUEST FOR USER
`(SPDOES NOT KNOW USER NOT FEDERATED)
`HTTP REDIRECT FOR SSO RECQUEST TOldP
`1112
`
`1114 HTTP REQUEST (REDIRECT) WITH SSO REQUEST TOldP
`
`AUTHENTICATE USER, IF REQUIRED
`
`1116
`
`EVALUATE RECQUEST, SPIS NOT REQUESTING
`TO FEDERATE AUSER DENTITY
`
`BUILD PUL-YPESSOREOUEST
`
`HTTP REDIRECT WITH SSO RESPONSE
`
`USER IS NOT FEDERATED, SO CREATE OR ATTEMPT TO CREATE
`NEW ACCOUNT FOR USER WITH ALAS INFORMATION
`THAT IS PROVIDED BY CP
`
`SSO RESPONSE DOES NOT INCLUDE ALL REOURED USER
`ATTRIBUTES FOR ACCOUNT CREATION OR TO COMPLETEACCOUNT
`CREATION
`
`PULLTYPE SINGLE-SIGN-ON OPERATION WITH RUNTIME USER PROVISIONING AT SP
`(REQUIRES ADDITIONAL PULLING OF USERATTRIBUTES BY SP FROMIDP)
`FIG. I. IB
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 17 of 42 PageID #: 100
`
`U.S. Patent
`
`Dec. 8, 2009
`
`Sheet 14 of 14
`
`US 7,631,346 B2
`
`
`
`
`
`CLIENT
`
`l ME
`
`SERVICE
`PROVIDER
`
`DENTITY
`PROVIDER
`
`
`
`
`
`
`
`
`
`
`
`HTTP REDIRECT FOR ADDITIONAL USER AT TRIBUTES
`
`1156 HTTP REQUEST (REDIRECT) WITHAT TRIBUTE REQUEST
`
`BUILD ATTRIBUTE RESPONSE
`HTTP REDIRECT WITH ATTRIBUTE RESPONSE
`
`
`
`1162 HTTP RECUEST FOR REDIRECTED UR WITHATRIBUTES
`
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT LD
`WITHAT TRIBUTES AND ALIAS
`PROCESS RESOURCE ACCESS - D
`HTTP RESPONSE FOR RESOURCE ACCESS
`1134
`
`COMPLETION OF PULL-TYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(FRONT-CHANNEL USER AT TRIBUTE RETRIEVAL BY SP FROMIDP)
`FIG. I IC
`
`
`
`
`
`CLENT
`
`TIME
`
`SERVICE
`PROVIDER
`
`IDENTITY
`PROVIDER
`
`
`
`
`
`SOAP RESPONSE WITHATTRIBUTE RESPONSE
`BUILD (OR COMPLETE CREATION OF) USER ACCOUNT
`WITH ATTRIBUTES ANDALAS
`
`HTTP RESPONSE FOR RESOURCE ACCESS
`
`COMPLETION OF PULLTYPESSO OPERATION WITH RUNTIME USER ACCOUNT CREATION AT SP
`(BACK-CHANNELUSERATTRIBUTE RETRIEVAL BY SP FROMIDP)
`FIG. 1 1D
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 18 of 42 PageID #: 101
`
`US 7,631,346 B2
`
`1.
`METHOD AND SYSTEM FOR A RUNTIME
`USER ACCOUNT CREATION OPERATION
`WITHNA SINGLE-SIGN-ON PROCESS IN A
`FEDERATED COMPUTING ENVIRONMENT
`
`BACKGROUND OF THE INVENTION
`
`2
`tational operations for the users within the federation. For
`example, a federation partner may act as a user's home
`domain or identity provider. Other partners within the same
`federation may rely on the user's identity provider for pri
`mary management of the user's authentication credentials,
`e.g., accepting a single-sign-on token that is provided by the
`user's identity provider.
`As enterprises move to support federated business interac
`tions, these enterprises should provide a user experience that
`reflects the increased cooperation between two businesses. As
`noted above, a user may authenticate to one party that acts as
`an identity provider and then single-sign-on to a federated
`business partner that acts as a service provider. In conjunction
`with single-sign-on functionality, additional user lifecycle
`functionality. Such as single-sign-off, user provisioning, and
`account linking/delinking, should also be Supported.
`Single-sign-on solutions require that a user be identifiable
`in some form or another at both an identity provider and a
`service provider; the identity provider needs to be able to
`identify and authenticate a user, and the service provider
`needs to be able to identify the user based on some form of
`assertion about the user in response to a single-sign-on
`request. Various prior art single-sign-on solutions, e.g., Such
`as those described in the Liberty Alliance ID-FF specifica
`tions, require that a user have an authenticatable account at
`both an identity provider and a service provider as a prereq
`uisite to a federated single-sign-on operation. Some federated
`Solutions Support an a priori user account creation event
`across domains to be used to establish these accounts, thereby
`satisfying a requirement that a user have an authenticatable
`account at both an identity provider and a service provider as
`a prerequisite to a federated single-sign-on operation.
`Although some federated solutions provide a robust set of
`federated user lifecycle management operations. Such as user
`account creation, user account management, user attribute
`management, account Suspension, and account deletion,
`these federated management systems do not provide a light
`weight solution that is suitable for certain federation partners
`or for certain federated purposes.
`Therefore, it would be advantageous to have methods and
`systems in which enterprises can provide comprehensive
`single-sign-on experiences to users in a federated computing
`environment in a lightweight manner that does not require an
`extensive amount of a priori processing.
`
`10
`
`15
`
`25
`
`30
`
`35
`
`40
`
`45
`
`1. Field of the Invention
`The present invention relates to an improved data process
`ing system and, in particular, to a method and apparatus for
`multicomputer data transferring. Still more particularly, the
`present invention is directed to networked computer systems.
`2. Description of Related Art
`Enterprises generally desire to provide authorized users
`with secure access to protected resources in a user-friendly
`manner throughout a variety of networks, including the Inter
`net. Although providing secure authentication mechanisms
`reduces the risks of unauthorized access to protected
`resources, those authentication mechanisms may become
`barriers to accessing protected resources. Users generally
`desire the ability to change from interacting with one appli
`cation to another application without regard to authentication
`barriers that protect each particular system Supporting those
`applications.
`As users get more Sophisticated, they expect that computer
`systems coordinate their actions so that burdens on the user
`are reduced. These types of expectations also apply to authen
`tication processes. A user might assume that once he or she
`has been authenticated by some computer system, the authen
`tication should be valid throughout the user's working ses
`Sion, or at least for a particular period of time, without regard
`to the various computer architecture boundaries that are
`almost invisible to the user. Enterprises generally try to fulfill
`these expectations in the operational characteristics of their
`deployed systems, not only to placate users but also to
`increase user efficiency, whether the user efficiency is related
`to employee productivity or customer satisfaction.
`More specifically, with the current computing environment
`in which many applications have a Web-based user interface
`that is accessible through a common browser, users expect
`more user-friendliness and low or infrequent barriers to
`movement from one Web-based application to another. In this
`context, users are coming to expect the ability to jump from
`interacting with an application on one Internet domain to
`another application on another domain without regard to the
`authentication barriers that protect each particular domain.
`However, even ifmany systems provide secure authentication
`through easy-to-use, Web-based interfaces, a user may still be
`forced to reckon with multiple authentication processes that
`stymie user access across a set of domains. Subjecting a user
`to multiple authentication processes in a given time frame
`may significantly affect the user's efficiency.
`For example, various techniques have been used to reduce
`authentication burdens on users and computer system admin
`istrators. These techniques are generally described as “single
`sign-on' (SSO) processes because they have a common pur
`pose: after a user has completed a sign-on operation, i.e. been
`authenticated, the user is Subsequently not required to per
`form another authentication operation. Hence, the goal is that
`the user would be required to complete only one authentica
`tion process during a particular user session.
`To reduce the costs of user management and to improve
`interoperability among enterprises, federated computing
`spaces have been created. A federation is a loosely coupled
`affiliation of enterprises which adhere to certain standards of
`interoperability; the federation provides a mechanism for
`trust among those enterprises with respect to certain compu
`
`50
`
`55
`
`60
`
`65
`
`SUMMARY OF THE INVENTION
`
`A method, system, apparatus, and computer program prod
`uct are presented to support computing systems of different
`enterprises that interact within a federated computing envi
`ronment. Federated single-sign-on operations can be initiated
`at the computing systems of federation partners on behalf of
`a user even though the user has not established a user account
`at a federation partner prior to the initiation of the single-sign
`on operation. For example, an identity provider can initiate a
`single-sign-on operation at a service provider while attempt
`ing to obtain access to a controlled resource on behalf of a
`user. When the service provider recognizes that it does not
`have a linked user account for the user that allows a single
`sign-on operation from the identity provider, the service pro
`vider creates a local user account based at least in part on
`information from the identity provider. The service provider
`
`

`

`Case 1:20-cv-00351-UNA Document 1-3 Filed 03/11/20 Page 19 of 42 PageID #: 102
`
`3
`can also pull user attributes from the identity provider as
`necessary to perform the user account creation operation.
`
`US 7,631,346 B2
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`10
`
`15
`
`25
`
`30
`
`35
`
`The novel features believed characteristic of the invention
`are set forth in the appended claims. The invention itself,
`further objectives, and advantages thereof, will be best under
`stood by reference to the following detailed description when
`read in conjunction with the accompanying drawings,
`wherein:
`FIG. 1A depicts a typical network of data processing sys
`tems, each of which may implement the present invention;
`FIG. 1B depicts a typical computer architecture that may
`be used within a data processing system in which the present
`invention may be implemented;
`FIG. 1C depicts a data flow diagram that illustrates a typi
`cal authentication process that may be used when a client
`attempts to access a protected resource at a server,
`FIG. 1D depicts a network diagram that illustrates a typical
`Web-based environment in which the present invention may
`be implemented;
`FIG. 1E depicts a block diagram that illustrates an example
`of a typical online transaction that might require multiple
`authentication operations from a user,
`FIG. 2 depicts a block diagram that illustrates the termi
`nology of the federated environment with respect to a trans
`action that is initiated by a user to a first federated enterprise,
`which, in response, invokes actions at downstream entities
`within the federated environment;
`FIG.3 depicts a block diagram that illustrates the integra
`tion of pre-existing data processing systems at a given domain
`with some federated architecture components that may be
`used to support an embodiment of the present invention;
`FIG. 4 depicts a block diagram that illustrates an example
`of a manner in which some components within a federated
`architecture may be used to establish trust relationships to
`Support an implementation of the present invention;
`FIG. 5 depicts a block diagram that illustrates an exem
`40
`plary set of trust relationships between federated domains
`using trust proxies and a trust broker in accordance with an
`exemplary federated architecture that is able to support the
`present invention;
`FIG. 6 depicts a block diagram that illustrates a federated
`environment that Supports federated single-sign-on opera
`tions;
`FIG. 7 depicts a block diagram that illustrates some of the
`components in a federated domain for implementing feder
`ated user lifecycle management functionality in order to Sup
`port the present invention;
`FIG. 8 depicts a dataflow diagram that shows a typical prior
`art HTTP-redirection-based single-sign-on operation that is
`initiated by a federated identity provider to obtain access to a
`protected resource at a federated service provider;
`FIGS. 9A-9B depicts dataflow diagrams that show an
`HTTP-redirection-based single-sign-on operation that is ini
`tiated by a federated identity provider to obtain access to a
`protected resource at a federated service provider while per
`forming a runtime linked-user-account creation operation at
`the federated service provider in accordance with an embodi
`ment of the present invention;
`FIGS. 9C-9E depict dataflow diagrams that show an
`HTTP-redirection-based single-sign-on operation that is ini
`tiated by a federated identity provider to obtain access to a
`protected resource at a federated service provider with alter
`
`45
`
`50
`
`55
`
`60
`
`65
`
`4
`native methods for obtaining user attributes by the federated
`service provider in accordance with an embodiment of the
`present invention;
`FIG. 10 depicts a flowchart that shows a more detailed
`process for performing a runtime linked-user-account cre
`ation operation at a service provider during a single-sign-on
`operation that has been initiated by an identity provider;
`FIG. 11A depicts a dataflow diagram that shows an HTTP
`redirection-based pull-type single-sign-on operation that is
`initiated by a federated service provider to allow access to a
`protected resource at the federated service provider while
`performing a runtime linked-user-account creation operation
`at the federated service provider in accordance with an
`embodiment of the present invention; and
`FIGS. 11B-11D depictaset of dataflow diagrams that show
`an HTTP-redirection-based pull-type single-sign-on opera
`tion that is initiated by a federated service provider to allow
`access to a protected resource at the federated service pro
`vider with additional retrieval of user attribute information
`from a federated identity provider while performing a runt
`ime linked-user-account creation operation at the federated
`service provider in accordance with an embodiment of the
`present invention.
`
`DETAILED DESCRIPTION OF THE INVENTION
`
`In general, the devices that may comprise or relate to the
`present invention include a wide variety of data processing
`technology. Therefore, as background, a typical organization
`of hardware and software components within a distributed
`data processing system is described prior to describing the
`present invention in more detail.
`With reference now to the figures, FIG.1.A depicts atypical
`network of data processing systems, each of which may
`implement the present invention. Distributed data processing
`system 100 contains network 101, which is a medium that
`may be used to provide communications links between vari
`ous devices and computers connected together within distrib
`uted data processing system 100. Network 101 may include
`permanent connections, such as wire or fiber optic cables, or
`temporary connections made through telephone or wireless
`communications. In the depicted example, server 102 and
`server 103 are connected to network 101 along with storage
`unit 104. In addition, clients 105-107 also are connected to
`network 101. Clients 105-107 and servers 102-103 may be
`represented by a variety of computing devices, such as main
`frames, personal computers, personal digital assistants
`(PDAs), etc. Distributed data processing system 100 may
`include additional servers, clients, routers, other devices, and
`peer-to-peer architectures that are not shown.
`In the depicted example, distributed data processing sys
`tem 100 may include the Internet with network 101 represent
`ing a worldwide collection of networks and gateways that use
`various protocols to communicate with one another, Such as
`LDAP (Lightweight Directory Access Protocol), TCP/IP
`(Transport Control Protocol/Internet Protocol), HTTP (Hy
`perText Transport Protocol), etc. Of course, distributed data
`processing system 100 may also include a number of different
`types of networks, such as, for example, an intranet, a local
`area network (LAN), or a wide area network (WAN). For
`example, server 102 directly supports client 109 and network
`110, which incorporates wireless communication links. Net
`work-enabled phone 111 connects

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket