公开(公告)号：US20070255958A1

公开(公告)日：2007-11-01

申请号：US11416275

申请日：2006-05-01

申请人： Donald Schmidt ,  Danver Hartop ,  Derek Del Conte ,  Jagadeesh Kalki ,  Jeffrey Spelman ,  Kahren Tevosyan ,  Ryan Johnson ,  Vijayavani Nori

发明人： Donald Schmidt ,  Danver Hartop ,  Derek Del Conte ,  Jagadeesh Kalki ,  Jeffrey Spelman ,  Kahren Tevosyan ,  Ryan Johnson ,  Vijayavani Nori

IPC分类号： H04L9/00

CPC分类号： G06F21/335 ,  H04L63/08

摘要： This disclosure relates to the ability to use multiple claim transformation modules in a trust relationship. Claim transformation modules transform a claim or claim set into a transformed claim or claim set for use by a trusted partner and/or application. Multiple claim transformation modules may be given the opportunity to act on a claim or claim set in a pipelined fashion. In another embodiment, multiple claim transformation modules may exist, but only the proper claim transformation module(s) is(are) given the opportunity to act on a claim or claim set. In an embodiment, the claims involved are security claims used for authentication purposes between trust partners in a federated authentication system.

摘要翻译： 本公开涉及在信任关系中使用多个权利要求转换模块的能力。 索赔转换模块将权利要求或权利要求转换为经变更的权利要求或权利要求集，以供受信任的合作伙伴和/或应用使用。 可以给予多个权利要求转换模块机会以流水线方式对权利要求或权利要求采取行动。 在另一个实施例中，可以存在多个权利要求转换模块，但是只有适当的权利要求转换模块被赋予作用于权利要求或权利要求集合的机会。 在一个实施例中，所涉及的权利要求是用于在联合认证系统中的信任伙伴之间用于认证目的的安全性权利要求。

公开(公告)号：US20060259776A1

公开(公告)日：2006-11-16

申请号：US11129711

申请日：2005-05-13

申请人： Ryan Johnson ,  Donald Schmidt ,  Jeffrey Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

发明人： Ryan Johnson ,  Donald Schmidt ,  Jeffrey Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

IPC分类号： H04L9/00

CPC分类号： H04L63/0815 ,  G06F21/335 ,  G06F21/604

摘要： Systems and methods directed at enhancing the capability of a federated authentication system by configuring the system with extensibility points for adding new account stores and customizing claim transformations. The federated authentication system includes accounts stores, a security token service (STS), and custom claim transformation modules. The account stores are configured to maintain data associated with accounts and to provide security claims in an intermediate format. The STS is configured to retrieve the security claims provided by the account stores and includes built-in transformations for transforming each security claim from the intermediate format to formats associated with resource providers. The STS is further configured to provide extensibility points for custom claim transformations that are not available from the built-in transformations. The custom claim transformation modules are configured to perform at least one custom claim transformation. Each custom claim transformation module is further configured to interact with the STS through at least one of the extensibility points. The STS may be configured to provide extensibility points for interacting with account stores that the STS does not explicitly recognize.

摘要翻译： 系统和方法旨在通过配置具有用于添加新帐户存储和定制声明转换的扩展点的系统来增强联合身份验证系统的能力。 联合认证系统包括帐户存储，安全令牌服务（STS）和自定义索赔变换模块。 帐户存储被配置为维护与帐户相关联的数据，并以中间格式提供安全声明。 STS配置为检索由帐户存储提供的安全声明，并且包括用于将每个安全声明从中间格式转换为与资源提供者相关联的格式的内置转换。 STS进一步配置为为内置转换不可用的自定义索引转换提供可扩展点。 自定义索赔转换模块被配置为执行至少一个自定义索赔转换。 每个自定义权利要求转换模块还被配置为通过至少一个可扩展点与STS交互。 STS可以配置为提供与STS未明确识别的帐户存储交互的可扩展点。

公开(公告)号：US20060248598A1

公开(公告)日：2006-11-02

申请号：US11119236

申请日：2005-04-29

申请人： Ryan Johnson ,  Donald Schmidt ,  Jeffrey Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

发明人： Ryan Johnson ,  Donald Schmidt ,  Jeffrey Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

IPC分类号： H04L9/32 ,  G06F17/30 ,  G06F7/04 ,  G06K9/00 ,  H03M1/68 ,  H04L9/00 ,  H04K1/00 ,  H04N7/16

CPC分类号： H04L63/0815 ,  G06F21/33 ,  G06F21/6236 ,  H04L63/0807

摘要： Systems and methods directed at transforming security claims in a federated authentication system using an intermediate format. The systems and methods described herein are directed at transforming security claims in a federated authentication system using an intermediate format. The federated authentication system includes an identity provider and a resource provider. The identity provider receives a request for information from the resource provider to authenticate an account by an application associated with the resource provider. A security claim associated with the account is retrieved where the security claim is provided by an account store in a format specific to the account store. The security claim is transformed from the account store specific format to an intermediate format. The security claim is then transformed from the intermediate format to a federated format recognized by the resource provider. The transformed security claim is provided in a security token to the resource provider. A similar two step transformation process using intermediate claims can also be implemented by the resource provider to transform security claims provided by an identity provider from a federated format to formats recognized by the applications.

摘要翻译： 针对在联合认证系统中使用中间格式转换安全声明的系统和方法。 本文描述的系统和方法涉及使用中间格式在联合认证系统中转换安全权利要求。 联合认证系统包括身份提供者和资源提供者。 身份提供者接收来自资源提供者的信息的请求，以通过与资源提供者相关联的应用来认证帐户。 与帐户存储相关联的安全声明被检索，其中帐户存储以特定于帐户存储的格式提供安全声明。 安全声明从帐户商店特定格式转换为中间格式。 然后将安全声明从中间格式转换为由资源提供者识别的联合格式。 转换的安全声明在安全令牌中提供给资源提供者。 使用中间权利要求的类似的两步转换过程也可以由资源提供者来实现，以将由身份提供者提供的安全声明从联合格式转换为应用程序识别的格式。

公开(公告)号：US20060123472A1

公开(公告)日：2006-06-08

申请号：US11173008

申请日：2005-06-30

申请人： Donald Schmidt ,  Ryan Johnson ,  Kahren Tevosyan ,  Jeffrey Spelman ,  Krishnanand Shenoy ,  Harini Raghavan ,  David Mowers ,  Matthew Hur

发明人： Donald Schmidt ,  Ryan Johnson ,  Kahren Tevosyan ,  Jeffrey Spelman ,  Krishnanand Shenoy ,  Harini Raghavan ,  David Mowers ,  Matthew Hur

IPC分类号： G06F17/30

CPC分类号： H04L63/08 ,  G06F21/41 ,  H04L63/0209 ,  H04L63/0815 ,  H04L63/101

摘要： A system for authenticating computer users comprising, a single active directory disposed in a federated partner, a web server disposed in a DMZ associated with the intranet; and a client disposed in the federated partner coupled to the web server through an internet connection that is capable of signing on to the web server.

摘要翻译： 一种用于认证计算机用户的系统，包括：设置在联合伙伴中的单个活动目录，设置在与所述内联网相关联的DMZ中的web服务器; 以及通过能够登录到web服务器的因特网连接而配置在联合对方中的客户端，其耦合到web服务器。

公开(公告)号：US20060123234A1

公开(公告)日：2006-06-08

申请号：US11173004

申请日：2005-06-30

申请人： Donald Schmidt ,  Ryan Johnson ,  Kahren Tevosyan ,  Jeffrey Spelman ,  Krishnanand Shenoy ,  Harini Raghavan ,  David Mowers ,  Matthew Hur

发明人： Donald Schmidt ,  Ryan Johnson ,  Kahren Tevosyan ,  Jeffrey Spelman ,  Krishnanand Shenoy ,  Harini Raghavan ,  David Mowers ,  Matthew Hur

IPC分类号： H04L9/00

CPC分类号： H04L63/0209 ,  H04L63/0815 ,  H04L63/168

摘要： A system for authenticating computer users comprising a single active directory disposed in an intranet, a web server disposed in a DMZ associated with the intranet, and a web client coupled to the web server through an internet connection that is capable of signing on to the web server.

公开(公告)号：US20060112422A1

公开(公告)日：2006-05-25

申请号：US10993745

申请日：2004-11-19

申请人： Kahren Tevosyan ,  Matthew Hur ,  Ryan Johnson ,  Donald Schmidt ,  Jeffrey Spelman

发明人： Kahren Tevosyan ,  Matthew Hur ,  Ryan Johnson ,  Donald Schmidt ,  Jeffrey Spelman

IPC分类号： H04L9/32 ,  G06F17/30 ,  G06F15/16 ,  G06F7/04 ,  G06F7/58 ,  G06K19/00 ,  G06K9/00

CPC分类号： H04L63/0807 ,  H04L63/0815 ,  H04L67/02 ,  H04L67/2814

摘要： The described systems, methods, and data structures are directed at data transfer using Hyper-Text Transfer Protocol (HTTP) query strings. A block of data is partitioned into sections. Each section is encoded in a query string of a HTTP message. Each HTTP message is sent to a server by redirecting through a client. Multiple redirected messages are sent until the entire block of data is transferred to the server. The data block may be stored as a cookie on the client so that the data block does not have to persist on any server. Data transfer using HTTP query strings may be implemented to transfer a security token from a security token service (STS) server to an application server.

摘要翻译： 所描述的系统，方法和数据结构针对使用超文本传输​​协议（HTTP）查询字符串的数据传输。 数据块被划分为多个部分。 每个部分都编码在HTTP消息的查询字符串中。 每个HTTP消息都通过重定向到客户端发送到服务器。 发送多个重定向消息，直到整个数据块传输到服务器。 数据块可以作为cookie存储在客户端上，使得数据块不必在任何服务器上持久存储。 可以实现使用HTTP查询字符串的数据传输，以将安全令牌从安全令牌服务（STS）服务器传输到应用程序服务器。

公开(公告)号：US08245051B2

公开(公告)日：2012-08-14

申请号：US11129711

申请日：2005-05-13

申请人： Ryan D. Johnson ,  Donald E. Schmidt ,  Jeffrey F. Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

发明人： Ryan D. Johnson ,  Donald E. Schmidt ,  Jeffrey F. Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

IPC分类号： H04L29/06

CPC分类号： H04L63/0815 ,  G06F21/335 ,  G06F21/604

摘要： Systems and methods directed at enhancing the capability of a federated authentication system by configuring the system with extensibility points for adding new account stores and customizing claim transformations. The federated authentication system includes accounts stores, a security token service (STS), and custom claim transformation modules. The account stores are configured to maintain data associated with accounts and to provide security claims in an intermediate format. The STS is configured to retrieve the security claims provided by the account stores and includes built-in transformations for transforming each security claim from the intermediate format to formats associated with resource providers. The STS is further configured to provide extensibility points for custom claim transformations that are not available from the built-in transformations. The custom claim transformation modules are configured to perform at least one custom claim transformation. Each custom claim transformation module is further configured to interact with the STS through at least one of the extensibility points. The STS may be configured to provide extensibility points for interacting with account stores that the STS does not explicitly recognize.

摘要翻译： 系统和方法旨在通过配置具有用于添加新帐户存储和定制声明转换的扩展点的系统来增强联合身份验证系统的能力。 联合认证系统包括帐户存储，安全令牌服务（STS）和自定义索赔变换模块。 帐户存储被配置为维护与帐户相关联的数据，并以中间格式提供安全声明。 STS配置为检索由帐户存储提供的安全声明，并且包括用于将每个安全声明从中间格式转换为与资源提供者相关联的格式的内置转换。 STS进一步配置为为内置转换不可用的自定义索引转换提供可扩展点。 自定义索赔转换模块被配置为执行至少一个自定义索赔转换。 每个自定义权利要求转换模块还被配置为通过至少一个可扩展点与STS交互。 STS可以配置为提供与STS未明确识别的帐户存储交互的可扩展点。

公开(公告)号：US07748046B2

公开(公告)日：2010-06-29

申请号：US11119236

申请日：2005-04-29

申请人： Ryan D. Johnson ,  Donald E. Schmidt ,  Jeffrey F. Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

发明人： Ryan D. Johnson ,  Donald E. Schmidt ,  Jeffrey F. Spelman ,  Kahren Tevosyan ,  Vijayavani Nori

IPC分类号： G06F21/00

CPC分类号： H04L63/0815 ,  G06F21/33 ,  G06F21/6236 ,  H04L63/0807

摘要： Systems and methods directed at transforming security claims in a federated authentication system using an intermediate format. The systems and methods described herein are directed at transforming security claims in a federated authentication system using an intermediate format. The federated authentication system includes an identity provider and a resource provider. The identity provider receives a request for information from the resource provider to authenticate an account by an application associated with the resource provider. A security claim associated with the account is retrieved where the security claim is provided by an account store in a format specific to the account store. The security claim is transformed from the account store specific format to an intermediate format. The security claim is then transformed from the intermediate format to a federated format recognized by the resource provider. The transformed security claim is provided in a security token to the resource provider. A similar two step transformation process using intermediate claims can also be implemented by the resource provider to transform security claims provided by an identity provider from a federated format to formats recognized by the applications.

摘要翻译： 针对在联合认证系统中使用中间格式转换安全声明的系统和方法。 本文描述的系统和方法涉及使用中间格式在联合认证系统中转换安全权利要求。 联合认证系统包括身份提供者和资源提供者。 身份提供者接收来自资源提供者的信息的请求，以通过与资源提供者相关联的应用来认证帐户。 与帐户存储相关联的安全声明被检索，其中帐户存储以特定于帐户存储的格式提供安全声明。 安全声明从帐户商店特定格式转换为中间格式。 然后将安全声明从中间格式转换为由资源提供者识别的联合格式。 转换的安全声明在安全令牌中提供给资源提供者。 使用中间权利要求的类似的两步转换过程也可以由资源提供者来实现，以将由身份提供者提供的安全声明从联合格式转换为应用程序识别的格式。

公开(公告)号：US07603555B2

公开(公告)日：2009-10-13

申请号：US11173004

申请日：2005-06-30

申请人： Donald E. Schmidt ,  Ryan D. Johnson ,  Kahren Tevosyan ,  Jeffrey F. Spelman ,  Krishnanand Shenoy ,  Harini Raghavan ,  David R. Mowers ,  Matthew Hur

发明人： Donald E. Schmidt ,  Ryan D. Johnson ,  Kahren Tevosyan ,  Jeffrey F. Spelman ,  Krishnanand Shenoy ,  Harini Raghavan ,  David R. Mowers ,  Matthew Hur

IPC分类号： H04L9/00

CPC分类号： H04L63/0209 ,  H04L63/0815 ,  H04L63/168

摘要： A system for authenticating computer users comprising a single active directory disposed in an intranet, a web server disposed in a DMZ associated with the intranet, and a web client coupled to the web server through an internet connection that is capable of signing on to the web server.

摘要翻译： 一种用于认证计算机用户的系统，包括设置在内联网中的单个活动目录，布置在与内联网相关联的DMZ中的web服务器，以及通过互联网连接耦合到web服务器的web客户端，该互联网连接能够登录到web 服务器。

公开(公告)号：US07702917B2

公开(公告)日：2010-04-20

申请号：US10993745

申请日：2004-11-19

申请人： Kahren Tevosyan ,  Matthew Hur ,  Ryan D Johnson ,  Donald E Schmidt ,  Jeffrey F Spelman

发明人： Kahren Tevosyan ,  Matthew Hur ,  Ryan D Johnson ,  Donald E Schmidt ,  Jeffrey F Spelman

IPC分类号： G06F21/00

CPC分类号： H04L63/0807 ,  H04L63/0815 ,  H04L67/02 ,  H04L67/2814

摘要： The described systems, methods, and data structures are directed at data transfer using Hyper-Text Transfer Protocol (HTTP) query strings. A block of data is partitioned into sections. Each section is encoded in a query string of a HTTP message. Each HTTP message is sent to a server by redirecting through a client. Multiple redirected messages are sent until the entire block of data is transferred to the server. The data block may be stored as a cookie on the client so that the data block does not have to persist on any server. Data transfer using HTTP query strings may be implemented to transfer a security token from a security token service (STS) server to an application server.

摘要翻译： 所描述的系统，方法和数据结构针对使用超文本传输​​协议（HTTP）查询字符串的数据传输。 数据块被划分为多个部分。 每个部分都编码在HTTP消息的查询字符串中。 每个HTTP消息都通过重定向到客户端发送到服务器。 发送多个重定向消息，直到整个数据块传输到服务器。 数据块可以作为cookie存储在客户端上，使得数据块不必在任何服务器上持久存储。 可以实现使用HTTP查询字符串的数据传输，以将安全令牌从安全令牌服务（STS）服务器传输到应用程序服务器。